Bug 87325

Summary: certificate with distrust in location for anchors
Product: p11-glue Reporter: micsnare <rockandsnap>
Component: p11-kitAssignee: Stef Walter <stefw>
Status: NEEDINFO --- QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description micsnare 2014-12-15 11:16:16 UTC 
hi,

when running "trust extract-compat" I get the following output:

p11-kit: certificate with distrust in location for anchors: VeriSign_Class_3_Secure_Server_CA_-_G2.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Google.crt
p11-kit: certificate with distrust in location for anchors: Bogus_live.com.crt
p11-kit: certificate with distrust in location for anchors: CAcert_Class_3_Root.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Services_1024_CA.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_3.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_1.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Global_Trustee.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Skype.crt
p11-kit: certificate with distrust in location for anchors: TC_TrustCenter_Universal_CA_III.crt
p11-kit: certificate with distrust in location for anchors: Bogus_GMail.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA_2nd.crt
p11-kit: certificate with distrust in location for anchors: MD5_Collisions_Forged_Rogue_CA_25c3.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__en_.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid_G2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Mozilla_Addons.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__cyb_.crt
p11-kit: certificate with distrust in location for anchors: UTN-USERFirst-Network_Applications.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid.crt
p11-kit: certificate with distrust in location for anchors: CA_Cert_Signing_Authority.crt
p11-kit: certificate with distrust in location for anchors: USERTrust_Legacy_Secure_Server_CA.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Root_CA.crt
p11-kit: certificate with distrust in location for anchors: VeriSign_Class_3_Secure_Server_CA_-_G2.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Google.crt
p11-kit: certificate with distrust in location for anchors: Bogus_live.com.crt
p11-kit: certificate with distrust in location for anchors: CAcert_Class_3_Root.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Services_1024_CA.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_3.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_1.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Global_Trustee.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Skype.crt
p11-kit: certificate with distrust in location for anchors: TC_TrustCenter_Universal_CA_III.crt
p11-kit: certificate with distrust in location for anchors: Bogus_GMail.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA_2nd.crt
p11-kit: certificate with distrust in location for anchors: MD5_Collisions_Forged_Rogue_CA_25c3.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__en_.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid_G2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Mozilla_Addons.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__cyb_.crt
p11-kit: certificate with distrust in location for anchors: UTN-USERFirst-Network_Applications.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid.crt
p11-kit: certificate with distrust in location for anchors: CA_Cert_Signing_Authority.crt
p11-kit: certificate with distrust in location for anchors: USERTrust_Legacy_Secure_Server_CA.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Root_CA.crt
p11-kit: certificate with distrust in location for anchors: VeriSign_Class_3_Secure_Server_CA_-_G2.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Google.crt
p11-kit: certificate with distrust in location for anchors: Bogus_live.com.crt
p11-kit: certificate with distrust in location for anchors: CAcert_Class_3_Root.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Services_1024_CA.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_3.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_1.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Global_Trustee.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Skype.crt
p11-kit: certificate with distrust in location for anchors: TC_TrustCenter_Universal_CA_III.crt
p11-kit: certificate with distrust in location for anchors: Bogus_GMail.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA_2nd.crt
p11-kit: certificate with distrust in location for anchors: MD5_Collisions_Forged_Rogue_CA_25c3.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__en_.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid_G2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Mozilla_Addons.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__cyb_.crt
p11-kit: certificate with distrust in location for anchors: UTN-USERFirst-Network_Applications.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid.crt
p11-kit: certificate with distrust in location for anchors: CA_Cert_Signing_Authority.crt
p11-kit: certificate with distrust in location for anchors: USERTrust_Legacy_Secure_Server_CA.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Root_CA.crt
p11-kit: certificate with distrust in location for anchors: VeriSign_Class_3_Secure_Server_CA_-_G2.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Google.crt
p11-kit: certificate with distrust in location for anchors: Bogus_live.com.crt
p11-kit: certificate with distrust in location for anchors: CAcert_Class_3_Root.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Services_1024_CA.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_3.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_1.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Global_Trustee.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Skype.crt
p11-kit: certificate with distrust in location for anchors: TC_TrustCenter_Universal_CA_III.crt
p11-kit: certificate with distrust in location for anchors: Bogus_GMail.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA_2nd.crt
p11-kit: certificate with distrust in location for anchors: MD5_Collisions_Forged_Rogue_CA_25c3.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__en_.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid_G2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Mozilla_Addons.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__cyb_.crt
p11-kit: certificate with distrust in location for anchors: UTN-USERFirst-Network_Applications.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid.crt
p11-kit: certificate with distrust in location for anchors: CA_Cert_Signing_Authority.crt
p11-kit: certificate with distrust in location for anchors: USERTrust_Legacy_Secure_Server_CA.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Root_CA.crt
p11-kit: certificate with distrust in location for anchors: VeriSign_Class_3_Secure_Server_CA_-_G2.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Google.crt
p11-kit: certificate with distrust in location for anchors: Bogus_live.com.crt
p11-kit: certificate with distrust in location for anchors: CAcert_Class_3_Root.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Services_1024_CA.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_3.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_1.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Global_Trustee.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Skype.crt
p11-kit: certificate with distrust in location for anchors: TC_TrustCenter_Universal_CA_III.crt
p11-kit: certificate with distrust in location for anchors: Bogus_GMail.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA_2nd.crt
p11-kit: certificate with distrust in location for anchors: MD5_Collisions_Forged_Rogue_CA_25c3.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__en_.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid_G2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Mozilla_Addons.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__cyb_.crt
p11-kit: certificate with distrust in location for anchors: UTN-USERFirst-Network_Applications.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid.crt
p11-kit: certificate with distrust in location for anchors: CA_Cert_Signing_Authority.crt
p11-kit: certificate with distrust in location for anchors: USERTrust_Legacy_Secure_Server_CA.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Root_CA.crt
p11-kit: certificate with distrust in location for anchors: VeriSign_Class_3_Secure_Server_CA_-_G2.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: mozilla.trust.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Google.crt
p11-kit: certificate with distrust in location for anchors: Bogus_live.com.crt
p11-kit: certificate with distrust in location for anchors: CAcert_Class_3_Root.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Services_1024_CA.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_3.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Yahoo_1.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Global_Trustee.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Skype.crt
p11-kit: certificate with distrust in location for anchors: TC_TrustCenter_Universal_CA_III.crt
p11-kit: certificate with distrust in location for anchors: Bogus_GMail.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Cyber_CA_2nd.crt
p11-kit: certificate with distrust in location for anchors: MD5_Collisions_Forged_Rogue_CA_25c3.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__en_.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid_G2.crt
p11-kit: certificate with distrust in location for anchors: Bogus_Mozilla_Addons.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_Malaysian_Digicert_Sdn._Bhd.__cyb_.crt
p11-kit: certificate with distrust in location for anchors: UTN-USERFirst-Network_Applications.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrusted_DigiNotar_PKIoverheid.crt
p11-kit: certificate with distrust in location for anchors: CA_Cert_Signing_Authority.crt
p11-kit: certificate with distrust in location for anchors: USERTrust_Legacy_Secure_Server_CA.crt
p11-kit: certificate with distrust in location for anchors: Explicitly_Distrust_DigiNotar_Root_CA.crt


I'm not sure, but this might also be connected with this other problem that I have:

SSL Error 61: You have not chosen to trust "VeriSign Class 3
International Server CA - G3", the issuer to the server's security
certificate.

I get this from a browser-citrix application....

any idea why these certifcates are distrusted? how can I trust them?
Comment 1 Stef Walter 2014-12-16 10:25:18 UTC 
What OS is this and how did you get p11-kit?

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.