Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] firefox SSL certs



>  > However under ssl/certs/ there is one modified file, one deleted file
>  > and two new (untracked) files. Is there a way to take the 8 hex-digit
>  > certificate filename and learn about it?
> 
> git commit (however you do that), then git checkout HEAD^ ABCD1234 (or
> so), followed by openssl x509 ABCD1234 or something like that.  Then
> git checkout HEAD.

Thanks Stephen. The full openssl command is:
    openssl x509 -in ABCD1234.0  -text

But it turns out the .0 files (that are new) are just symbolic links to
.pem files (that are not), and the linked filename tells me as much as I
need to know. (BTW, the deleted .o file seems to correspond with the
deleted DigiNotar_Root_CA.pem.)

Now I'm wondering:
 1. Why two symbol links got created, and one got moved, when the actual
certificates already existed. Is that normal behaviour after a minor
firefox update?

 2. Why none of these files seem to belong to any package (at least
according to apt-file). Neither the *.o files or the *.pem files.

For the second question I'm wondering if it was just coincidence that I
got new certificates (for the first time in 5 weeks, i.e. since putting
/etc under git control) from normal browsing, on the same day that
firefox has an update that alters ssl certificates. Sounds unlikely
doesn't it. But, then why are those files not owned by the firefox package?

My third question is what would happen if I delete these new symlinks?
What would happen if I deleted the *.pem files they point to? Would it
just mean an extra behind-the-scenes certificate download next time I
visit a site that needs it? (In other words is /etc/ssl/certs just a
cache directory?) Or would valid sites start complaining when I browse them?

(This is just intellectual curiosity/paranoia; I'm sure at the end of
the day I'll just check the new files in and assume someone cleverer
than me knows what they are doing...)

Darren


-- 
Darren Cook, Software Researcher/Developer

http://dcook.org/work/ (About me and my work)
http://dcook.org/blogs.html (My blogs and articles)


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links