Package: testssl.sh
Version: 3.2~rc3+dfsg-1
Severity: wishlist
X-Debbugs-Cc: landry.min...@celeste.fr
Dear Maintainer,
Having some "enterprise" private CA configured with ca-certificates it takes me
some research to understand that by default testssl.sh do not look at system
certificates.
To be able to validate internal chains, I created the following symlink:
/etc/testssl/System.pem ⇒ /etc/ssl/certs/ca-certificates.crt
Testing an internal server, I can now see this output for chain validation:
Trust (hostname) Ok via SAN and CN (same w/o SNI)
Chain of trust NOT ok: Apple (chain incomplete) Java (chain
incomplete) Linux (chain incomplete) Microsoft (chain incomplete) Mozilla
(chain incomplete)
OK: System
Also, the other anchors are managed upstream and can be outdated or out of sync
if updated, especialy on stable so it can be kind to view if a cURL command
will be able to correctly validate the certificate chain or not on this system.
So it should be interresting if a similar link was done directly by the package
(maybe with a debconf question if someone want to keep upstream default).
Regards,
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages testssl.sh depends on:
ii bind9-dnsutils [dnsutils] 1:9.19.17-1
ii bsdextrautils 2.39.2-6
ii openssl 3.0.12-2
ii procps 2:4.0.4-2
Versions of packages testssl.sh recommends:
ii libengine-gost-openssl 3.0.2-1
testssl.sh suggests no packages.
-- debconf-show failed
