Re: Jessie iceweasel: This Connection is Untrusted
On Fri 01 Oct 2021 at 13:20:01 (+0200), Thomas Schmitt wrote:
> I would prefer not to rely on an allow-list.
>
> So i currently ponder how to transplant the certificates from a Debian 10
> machine.
> man update-ca-certificates talks of
> /etc/ssl/certs
> /etc/ca-certificates.conf
> /usr/share/ca-certificates
> In the latter i see on Debian 10:
> ./mozilla
> with 126 .crt files.
> The Debian 8 machine has 172 files in there.
> The ca-certificates.conf files seem just to list those files on both
> machines.
>
> So a brute force attempt would be to rename the two directories and
> the file to other names and to then copy the Debian 10 stuff to the
> original names. The new /etc/ssl/certs would start empty and be
> populated by update-ca-certificates(8).
>
> Well, same old question: How bad an idea is this ?
> What should i read before making such theories ?
Looking at the Packages files for wheezy and stretch, the dependencies
haven't changed:
stretch
Package: ca-certificates
Version: 20200601~deb9u1
Installed-Size: 380
Maintainer: Michael Shuler <michael@pbandjelly.org>
Architecture: all
Depends: openssl (>= 1.0.0), debconf (>= 0.5) | debconf-2.0
wheezy
Package: ca-certificates
Version: 20130119+deb7u1
Installed-Size: 432
Maintainer: Michael Shuler <michael@pbandjelly.org>
Architecture: all
Depends: openssl (>= 1.0.0), debconf (>= 0.5) | debconf-2.0
So under the circumstances, having backed up the files in /etc
and /usr/share for ca-certificates and openssl, I would install
stretch's version manually, using the variant syntax:
apt ./ca-certificates_20200601~deb9u1_all.deb
Cheers,
David.
Reply to: