ssl/ca-global: blacklist SPI/StartCom/WoSign CAs

author Julien Cristau <jcristau@debian.org>

Sun, 3 Sep 2017 12:31:30 +0000 (14:31 +0200)

committer Julien Cristau <jcristau@debian.org>

Sun, 3 Sep 2017 12:31:46 +0000 (14:31 +0200)
author Julien Cristau <jcristau@debian.org>
Sun, 3 Sep 2017 12:31:30 +0000 (14:31 +0200)
committer Julien Cristau <jcristau@debian.org>
Sun, 3 Sep 2017 12:31:46 +0000 (14:31 +0200)
diff --git a/modules/ssl/files/ca-certificates-global.conf b/modules/ssl/files/ca-certificates-global.conf

index 684221b..fa10a90 100644 (file)
--- a/modules/ssl/files/ca-certificates-global.conf
+++ b/modules/ssl/files/ca-certificates-global.conf
@@ -1,2 +1,15 @@
  # This file is under puppet control
  # All CAs are trusted, see /etc/ssl/ca-global/README
+
+# blacklist SPI's old CA
+!spi-inc.org/spi-cacert-2008.crt
+
+# blacklist StartCom/WoSign
+# https://wiki.mozilla.org/CA:WoSign_Issues
+!mozilla/StartCom_Certification_Authority_2.crt
+!mozilla/StartCom_Certification_Authority_G2.crt
+!mozilla/StartCom_Certification_Authority.crt
+!mozilla/WoSign_China.crt
+!mozilla/WoSign.crt
+!mozilla/CA_WoSign_ECC_Root.crt
+!mozilla/Certification_Authority_of_WoSign_G2.crt
author	Julien Cristau <jcristau@debian.org>
	Sun, 3 Sep 2017 12:31:30 +0000 (14:31 +0200)
committer	Julien Cristau <jcristau@debian.org>
	Sun, 3 Sep 2017 12:31:46 +0000 (14:31 +0200)