By default, Bugzilla does not search the list of RESOLVED bugs.
You can force it to do so by putting the upper-case word ALL in front of your search query, e.g.: ALL tdelibs
We recommend searching for bugs this way, as you may discover that your bug has already been resolved and fixed in a later release.

Bug 2785

Summary: Let's encrypt certificates does not work, DST Root CA X3 invalid (/etc/trinity/ksslcalist outdated?)
Product: TDE Reporter: linux
Component: tdelibsAssignee: Timothy Pearson <kb9vqf>
Status: PATCHAVAIL ---    
Severity: normal CC: bugwatch, linux, michele.calgaro, slavek.banko, wofgdkncxojef
Priority: P5    
Version: R14.0.x [Trinity]   
Hardware: All   
OS: Linux   
Compiler Version: TDE Version String:
Application Version: Application Name:
Bug Depends on:    
Bug Blocks: 2968    
Attachments: Certificate details screenshot

Description linux 2017-06-21 12:22:33 CDT 
I've upgraded from Debian 8 to Debian 9 and noticed that certificates issued by Let's encrypt (e.g https://letsencrypt.org/) are treated as invalid because DST Root CA X3 is missing from the root CA list (as seen on the "SSL Signers" tab in Crypto configuration).

The list apparently comes from /etc/trinity/ksslcalist file (tdelibs-data-trinity package) which seems to be horribly outdated (2011). When I remove it, the CA list is empty. Can't it be automatically generated from system certificate list? Is this file needed at all?

/opt/trinity/share/apps/kssl/ca-bundle.crt is a symlink to system file /etc/ssl/certs/ca-certificates.crt

I'm running Trinity preliminary stable builds (and was running the same before the upgrade).
Comment 1 Michele Calgaro 2018-08-05 03:54:19 CDT 
There were changes that went into the code the checks validity of certificates. Can you check again with R14.0.5 or Slavek's PSB?
Comment 2 linux 2018-08-05 11:05:30 CDT 
Created attachment 2891 [details]
Certificate details screenshot

No change in behavior.
Comment 3 Michele Calgaro 2018-08-05 22:17:55 CDT 
ok, thanks for the feedback.
Comment 4 linux 2020-06-05 04:20:50 CDT 
/etc/trinity/ksslcalist could be generated using a script like this:
#!/bin/sh
for f in /etc/ssl/certs/*.pem; do
        printf "[%s]\nx509=" "$(openssl x509 -noout -subject -nameopt compat -in $f | sed 's/^subject=//')"
        fgrep -v -- ----- "$f" | tr -d '\n'
        printf "\ncode=true\nemail=true\nsite=true\n\n"
done >ksslcalist

Note that the "code", "email" and "site" parameters are hardcoded and not read from the certificate - I don't know how to get them.
Comment 5 linux 2020-06-05 13:41:44 CDT 
The script could be added to /etc/ca-certificates/update.d/ (at least in Debian) to update ksslcalist automatically on any certificate updates.
Comment 6 Michele Calgaro 2020-06-06 04:57:22 CDT 
Thanks, we will have a look :-)
Comment 7 linux 2020-06-08 09:06:13 CDT 
Found some ksslcalist code in newer kssl sources which explains the site, email and code parameters:

    $subj = `openssl x509 -in $file -inform DER -noout -subject`;
    $_ = $subj;
    # We don't trust this anymore, so we keep our own copy
    if ( /TrustCenter/ ) {
        continue;
    }
    if ( /[Oo]bject/ || /[Cc]ode/ ) {
        $codeSubj = 1;
    } else {
        $codeSubj = 0;
    }
    $subj =~ s|\n$||;
    $subj =~ s/^subject= //;
    $purpose = `openssl x509 -in $file -inform DER -noout -purpose`;
    print BDL "\n";
    print BDL "[$subj]\n";
    print BDL "x509=$pem\n";
    #
    $_ = $purpose;
    if ( /server CA : Yes\n/ || /client CA : Yes\n/ || (/Any Purpose CA : Yes\n/ && (/client : Yes\n/ || /server : Yes\n/ ))) {
       $v_site="true";
    } else {
       $v_site="false";
    }
    #
    if ( /MIME signing CA : Yes\n/ || /MIME encryption CA : Yes\n/ ) {
       $v_email="true";
    } else {
       $v_email="false";
    }
    #
    if ( /Any Purpose CA : Yes\n/ && $codeSubj == 1) {
       $v_code="true";
    } else {
       $v_code="false";
    }

    # are some certificates really broken?
    if ($v_code == "false" && $v_email == "false") {
        $v_site = "true";
    }

    print BDL "site=$v_site\n";
    print BDL "email=$v_email\n";
    print BDL "code=$v_code\n";