From 958c7e4b9ff1a826751f7020e320e17bb99a37ac Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sun, 3 Sep 2017 14:31:30 +0200
Subject: [PATCH] ssl/ca-global: blacklist SPI/StartCom/WoSign CAs

---
 modules/ssl/files/ca-certificates-global.conf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/modules/ssl/files/ca-certificates-global.conf b/modules/ssl/files/ca-certificates-global.conf
index 684221bc0..fa10a90fe 100644
--- a/modules/ssl/files/ca-certificates-global.conf
+++ b/modules/ssl/files/ca-certificates-global.conf
@@ -1,2 +1,15 @@
 # This file is under puppet control
 # All CAs are trusted, see /etc/ssl/ca-global/README
+
+# blacklist SPI's old CA
+!spi-inc.org/spi-cacert-2008.crt
+
+# blacklist StartCom/WoSign
+# https://wiki.mozilla.org/CA:WoSign_Issues
+!mozilla/StartCom_Certification_Authority_2.crt
+!mozilla/StartCom_Certification_Authority_G2.crt
+!mozilla/StartCom_Certification_Authority.crt
+!mozilla/WoSign_China.crt
+!mozilla/WoSign.crt
+!mozilla/CA_WoSign_ECC_Root.crt
+!mozilla/Certification_Authority_of_WoSign_G2.crt
-- 
2.20.1