Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• Cryptography

Traduction(s) : English - Francais

I thought by adding certificates to /etc/ssl/certs they would automatically be used in browsers and mail clients. How much wronger can you be...

Findings

• Mozilla uses libnss, which brings its own list of trusted certificates in /usr/lib/firefox/libnssckbi.so (see bug #316436)
• KDE comes with its own certificates kdelibs5-data: /usr/share/kde4/apps/kssl/ca-bundle.crt

  • compare https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/295266

• Seems that Kleopatra only works on stuff under ~/.gnupg and ignores /etc/ssl/certs ? Kleopatra and KMail use gpgsm for S/MIME?

• gpgsm seems to come with an empty trust list? https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/273625

• KDE SSL bug https://bugs.kde.org/show_bug.cgi?id=162485

Crypto Consolidation

• Fedora is working to consolidate Cryptography: https://fedoraproject.org/wiki/FedoraCryptoConsolidation

• The matter has also been discussed on debian-devel without a conclusion: http://lists.debian.org/debian-devel/2011/04/msg01062.html

Tips

This might work to make ca-certificates available in KDE apps? (source)

# dpkg-divert --local --rename --add /usr/share/kde4/apps/kssl/ca-bundle.crt
# ln -s /etc/ssl/certs/ca-certificates.crt /usr/share/kde4/apps/kssl/ca-bundle.crt

See Also

Related to this is also global setting of other cryptographic settings, see CryptoPolicy for suggestions.

CategorySystemSecurity | CategorySystemAdministration | ?CategoryRedundand: move info to the SecurityManagement portal