Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] firefox SSL certs
- Date: Mon, 12 Sep 2011 10:10:52 +0900
- From: Darren Cook <darren@example.com>
- Subject: Re: [tlug] firefox SSL certs
- References: <4E6D3A61.6020409@example.com> <87sjo2pr6d.fsf@example.com>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Thunderbird/3.1.13
> > However under ssl/certs/ there is one modified file, one deleted file
> > and two new (untracked) files. Is there a way to take the 8 hex-digit
> > certificate filename and learn about it?
>
> git commit (however you do that), then git checkout HEAD^ ABCD1234 (or
> so), followed by openssl x509 ABCD1234 or something like that. Then
> git checkout HEAD.
Thanks Stephen. The full openssl command is:
openssl x509 -in ABCD1234.0 -text
But it turns out the .0 files (that are new) are just symbolic links to
.pem files (that are not), and the linked filename tells me as much as I
need to know. (BTW, the deleted .o file seems to correspond with the
deleted DigiNotar_Root_CA.pem.)
Now I'm wondering:
1. Why two symbol links got created, and one got moved, when the actual
certificates already existed. Is that normal behaviour after a minor
firefox update?
2. Why none of these files seem to belong to any package (at least
according to apt-file). Neither the *.o files or the *.pem files.
For the second question I'm wondering if it was just coincidence that I
got new certificates (for the first time in 5 weeks, i.e. since putting
/etc under git control) from normal browsing, on the same day that
firefox has an update that alters ssl certificates. Sounds unlikely
doesn't it. But, then why are those files not owned by the firefox package?
My third question is what would happen if I delete these new symlinks?
What would happen if I deleted the *.pem files they point to? Would it
just mean an extra behind-the-scenes certificate download next time I
visit a site that needs it? (In other words is /etc/ssl/certs just a
cache directory?) Or would valid sites start complaining when I browse them?
(This is just intellectual curiosity/paranoia; I'm sure at the end of
the day I'll just check the new files in and assume someone cleverer
than me knows what they are doing...)
Darren
--
Darren Cook, Software Researcher/Developer
http://dcook.org/work/ (About me and my work)
http://dcook.org/blogs.html (My blogs and articles)
- Follow-Ups:
- Re: [tlug] firefox SSL certs
- From: Shawn Brown
- Re: [tlug] firefox SSL certs
- From: Stephen J. Turnbull
- Re: [tlug] firefox SSL certs
- References:
- [tlug] firefox SSL certs
- From: Darren Cook
- [tlug] firefox SSL certs
- From: Stephen J. Turnbull
- [tlug] firefox SSL certs
- Prev by Date: [tlug] firefox SSL certs
- Next by Date: Re: [tlug] firefox SSL certs
- Previous by thread: [tlug] firefox SSL certs
- Next by thread: Re: [tlug] firefox SSL certs
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |