From 2741e2bb58f599a73ba60737de45704e9f42adf5 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sun, 3 Sep 2017 15:41:39 +0200
Subject: [PATCH] ssl/ca-global: add certs recently removed from nss to
 blacklist

---
 modules/ssl/files/ca-certificates-global.conf | 46 +++++++++++++++++--
 1 file changed, 42 insertions(+), 4 deletions(-)

diff --git a/modules/ssl/files/ca-certificates-global.conf b/modules/ssl/files/ca-certificates-global.conf
index c97220f29..e578635ae 100644
--- a/modules/ssl/files/ca-certificates-global.conf
+++ b/modules/ssl/files/ca-certificates-global.conf
@@ -14,9 +14,47 @@
 !mozilla/CA_WoSign_ECC_Root.crt
 !mozilla/Certification_Authority_of_WoSign_G2.crt
 
-# https://wiki.mozilla.org/CA/Additional_Trust_Changes#CNNIC
+# removed in ca-certificates 20170717 (nss builtins version 2.14)
+!mozilla/AC_RaÃ­z_CerticÃ¡mara_S.A..crt
+!mozilla/ApplicationCA_-_Japanese_Government.crt
+!mozilla/Buypass_Class_2_CA_1.crt
+!mozilla/ComSign_CA.crt
+!mozilla/EBG_Elektronik_Sertifika_Hizmet_SaÄlayÄ±cÄ±sÄ±.crt
+!mozilla/Equifax_Secure_CA.crt
+!mozilla/Equifax_Secure_eBusiness_CA_1.crt
+!mozilla/Equifax_Secure_Global_eBusiness_CA.crt
+!mozilla/IGC_A.crt
+!mozilla/Juur-SK.crt
+!mozilla/Microsec_e-Szigno_Root_CA.crt
+!mozilla/Root_CA_Generalitat_Valenciana.crt
+!mozilla/RSA_Security_2048_v3.crt
+!mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
+!mozilla/S-TRUST_Universal_Root_CA.crt
+!mozilla/SwissSign_Platinum_CA_-_G2.crt
+!mozilla/TC_TrustCenter_Class_3_CA_II.crt
+!mozilla/TÃRKTRUST_Elektronik_Sertifika_Hizmet_SaÄlayÄ±cÄ±sÄ±_H6.crt
+!mozilla/UTN_USERFirst_Email_Root_CA.crt
+!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt
+!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
+!mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
+!mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
+!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
+!mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
+
+# removed in nss builtins version 2.16
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1380868
 !mozilla/CNNIC_ROOT.crt
 !mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt
-
-# https://wiki.mozilla.org/CA/Additional_Trust_Changes#ANSSI
-!mozilla/IGC_A.crt
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1359515
+!mozilla/Swisscom_Root_CA_2.crt
+!mozilla/Swisscom_Root_CA_1.crt
+!mozilla/Swisscom_Root_EV_CA_2.crt
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1366114
+!mozilla/GeoTrust_Global_CA_2.crt
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1366403
+!mozilla/AddTrust_Low-Value_Services_Root.crt
+!mozilla/AddTrust_Public_Services_Root.crt
+!mozilla/AddTrust_Qualified_Certificates_Root.crt
+!mozilla/Comodo_Secure_Services_root.crt
+!mozilla/Comodo_Trusted_Services_root.crt
+!mozilla/UTN_USERFirst_Hardware_Root_CA.crt
-- 
2.20.1