ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys
Reindl Harald
h.reindl at thelounge.net
Tue Nov 18 16:44:34 UTC 2014
Am 18.11.2014 um 16:12 schrieb Michael Catanzaro:
> On Tue, 2014-11-18 at 12:11 +0100, Florian Weimer wrote:
>> Firefox also builds a repository of intermediate certificates over
>> time
>> and uses them automatically to fill gaps in certificate chains for
>> completely unrelated sites. This leads to somewhat non-predictable
>> behavior regarding the set of sites to which Firefox can connect
>> reliably. This is difficult to emulate in one-shot command line
>> tools
>> such as wget which do not keep any local state by default.
>
> And that's arguably the biggest problem of all. The goal is to reduce
> certificate validation failures for users who have seen a particular
> intermediate cert before, but the effect is that web developers get
> false positives when testing whether their sites are set up properly or
> not. This just makes things worse in the long run.
true - *but* anybody responsible for a https site should at leat once
per month run https://www.ssllabs.com/ssltest/ against it
as far as i can say the best tool available, not only for check the
certificate chain, also browser support, optimal cipher configuration
and last but not least recent security issues reported
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141118/7157044b/attachment.sig>
More information about the devel
mailing list