e24bfeb6b0
By default, legacy roots required for OpenSSL/GnuTLS compatibility are kept enabled. Using the ca-legacy utility, the legacy roots can be disabled. If disabled, the system will use the trust set as provided by the upstream Mozilla CA list. (See also: rhbz#1158197)
84 lines
1.5 KiB
Bash
84 lines
1.5 KiB
Bash
#!/bin/sh
|
|
|
|
#set -vx
|
|
|
|
LCFILE=/etc/pki/ca-trust/ca-legacy.conf
|
|
LLINK=/etc/pki/ca-trust/source/ca-bundle.legacy.crt
|
|
LENABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.enable.crt
|
|
LDISABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
|
|
|
|
do_grep()
|
|
{
|
|
grep -i "^legacy *= *enable *$" $LCFILE >/dev/null 2>&1
|
|
}
|
|
|
|
do_check()
|
|
{
|
|
do_grep
|
|
if [ $? -eq 0 ]; then
|
|
echo "Legacy CAs are set to ENABLED in file $LCFILE (affects install/upgrade)"
|
|
LEXPECT=$LENABLE
|
|
else
|
|
echo "Legacy CAs are set to DISABLED in file $LCFILE (affects install/upgrade)"
|
|
LEXPECT=$LDISABLE
|
|
fi
|
|
echo "Status of symbolic link $LLINK:"
|
|
readlink -v $LLINK
|
|
}
|
|
|
|
do_install()
|
|
{
|
|
do_grep
|
|
if [ $? -eq 0 ]; then
|
|
# expression was found, legacy is enabled
|
|
ln -sf $LENABLE $LLINK
|
|
else
|
|
# not found, legacy is disabled
|
|
ln -sf $LDISABLE $LLINK
|
|
fi
|
|
}
|
|
|
|
do_enable()
|
|
{
|
|
sed -i 's/^legacy *=.*$/legacy=enable/' $LCFILE
|
|
do_install
|
|
/usr/bin/update-ca-trust
|
|
}
|
|
|
|
do_disable()
|
|
{
|
|
sed -i 's/^legacy *=.*$/legacy=disable/' $LCFILE
|
|
do_install
|
|
/usr/bin/update-ca-trust
|
|
}
|
|
|
|
do_help()
|
|
{
|
|
echo "usage: $0 [check | enable | disable | install]"
|
|
}
|
|
|
|
if [[ $# -eq 0 ]]; then
|
|
# no parameters
|
|
do_help
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "install" ]]; then
|
|
do_install
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "enable" ]]; then
|
|
do_enable
|
|
exit $?
|
|
fi
|
|
if [[ "$1" = "disable" ]]; then
|
|
do_disable
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "check" ]]; then
|
|
do_check
|
|
exit $?
|
|
fi
|