From: Julien Cristau <jcristau@debian.org>
Date: Sun, 3 Sep 2017 12:31:30 +0000 (+0200)
Subject: ssl/ca-global: blacklist SPI/StartCom/WoSign CAs
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=958c7e4b9ff1a826751f7020e320e17bb99a37ac;p=mirror%2Fdsa-puppet.git

ssl/ca-global: blacklist SPI/StartCom/WoSign CAs
---

diff --git a/modules/ssl/files/ca-certificates-global.conf b/modules/ssl/files/ca-certificates-global.conf
index 684221bc0..fa10a90fe 100644
--- a/modules/ssl/files/ca-certificates-global.conf
+++ b/modules/ssl/files/ca-certificates-global.conf
@@ -1,2 +1,15 @@
 # This file is under puppet control
 # All CAs are trusted, see /etc/ssl/ca-global/README
+
+# blacklist SPI's old CA
+!spi-inc.org/spi-cacert-2008.crt
+
+# blacklist StartCom/WoSign
+# https://wiki.mozilla.org/CA:WoSign_Issues
+!mozilla/StartCom_Certification_Authority_2.crt
+!mozilla/StartCom_Certification_Authority_G2.crt
+!mozilla/StartCom_Certification_Authority.crt
+!mozilla/WoSign_China.crt
+!mozilla/WoSign.crt
+!mozilla/CA_WoSign_ECC_Root.crt
+!mozilla/Certification_Authority_of_WoSign_G2.crt