The following WoSign CAs are still being installed even with USE="-insecure_certs": CN=Certification Authority of WoSign G2, O=WoSign CA Limited, C=CN CN=CA WoSign ECC Root, O=WoSign CA Limited, C=CN Their canonical paths are: /usr/share/ca-certificates/mozilla/Certification_Authority_of_WoSign_G2.crt /usr/share/ca-certificates/mozilla/CA_WoSign_ECC_Root.crt And here they are in the OpenSSL certificate directory: # ls -l /etc/ssl/certs | grep -i wosign lrwxrwxrwx 1 root root 22 Apr 6 16:16 26eaad2f.0 -> CA_WoSign_ECC_Root.pem lrwxrwxrwx 1 root root 65 Apr 6 16:16 CA_WoSign_ECC_Root.pem -> ../../../usr/share/ca-certificates/mozilla/CA_WoSign_ECC_Root.crt lrwxrwxrwx 1 root root 83 Apr 6 16:16 Certification_Authority_of_WoSign_G2.pem -> ../../../usr/share/ca-certificates/mozilla/Certification_Authority_of_WoSign_G2.crt lrwxrwxrwx 1 root root 40 Apr 6 16:16 f38a011e.0 -> Certification_Authority_of_WoSign_G2.pem
Created attachment 470920 [details, diff] Proposed patch Please see my proposed patch: When applied, users without insecure_certs USE flag will see an elog telling them why we are removing some certs and also a list of certs which were removed. Patch is now using "find" to remove all WoSign and StartCom certs.
commit b2cae8b25d30cee6412433139fbc323f08cffb8a Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Aug 8 09:38:15 2017 app-misc/ca-certificates: Fixed removal of untrusted certs (#616002). Package-Manager: Portage-2.3.6, Repoman-2.3.3