Re: Where is Epiphany's certificate store?

[Michael Catanzaro <mcatanzaro igalia com>]

Hi,

Epiphany uses your operating system's trust store, which is stored in a 
distribution-specific location and is usually difficult to *correctly* 
edit by hand. p11-kit is the best way to add additional certificates. 
If p11-kit is broken on your operating system, then you can look up 
distribution-specific documentation on how to edit your trust store 
manually. But you really never want to do this.

Now, Epiphany is correct to block access to that website, because it 
failed to send the required intermediate certificate. Firefox and 
Chrome are both *arguably* wrong to display that website. They use NSS 
for certificate verification, and the NSS developers have foolishly 
decided that it's beneficial to cache intermediate certificates for use 
in future certificate verification in order to reduce certificate 
errors for users. I call this nondeterministic certificate 
verification, and it is a really bad idea. Well, it was probably a good 
idea 10 years ago, but the web is a different place nowadays. Today it 
has no benefit and just results in developers not realizing their 
websites are broken. WebKit does not cache certs and I'm strongly 
opposed to it ever doing so. For more information on this problem you 
can read this blog post:

https://blogs.gnome.org/mcatanzaro/2015/01/30/mozilla-is-responsible-for-the-redhat-corpmerchandise-com-fiasco/

If you try running `gnutls-cli stream1.fxxy.net` you'll notice it's 
broken in exactly the same way as the website in that blog post.

Michael