update on ca-certificates, introducing the ca-legacy utility
Kai Engert
kaie at kuix.de
Fri Nov 21 16:17:50 UTC 2014
Resending this as a new thread, for increased visibility.
As explained in the older thread, the Mozilla project has started to
remove CA certificates that contain weak keys. Those removals cause
issues with software based on OpenSSL, and software based on older
versions of GnuTLS.
(A short description of the issue can be found in tracker bug
https://bugzilla.redhat.com/show_bug.cgi?id=1166614 - I intend to file a
ticket against OpenSSL shortly.)
For Fedora, we have decided to keep the legacy CA certificates included
and trusted by default, in order to avoid compatibility issues, until we
get functional updates to OpenSSL.
I'm documenting the changes on top of the Mozilla CA
list at: https://fedoraproject.org/wiki/CA-Certificates
However, we want to provide users/administrators with the ability to
change the default, by configuring the ca-certificates to strictly
follow the trust decisions made by Mozilla, thereby accepting the
compatibility issues (e.g. untrusted TLS connections, if certificates of
affected server configurations cannot be validated).
The above has been implemented for Fedora 21, it looks like it will be
included as part of the Fedora 21 release:
ca-certificates-2014.2.1-1.5.fc21.noarch
Using the new ca-legacy utility, it is possible to disable trust for the
legacy CA certificates as a systemwide configuration, by executing this
command as root:
ca-legacy disable
The configuration will be remembered in /etc/pki/ca-trust/ca-legacy.conf
and will be used on future package upgrades, when additional
certificates are moved to the legacy state.
If required, it's possible to undo the configuration and revert to the
current default, using:
ca-legacy enable
The current configuration can be shown using:
ca-legacy check
Regarding Fedora 19 and Fedora 20:
On F19/F20, GnuTLS is also affected by the breakage, when disabling
trust for the legacy CAs, because GnuTLS has been enhanced in Fedora 21
and later, only.
Updated packages for F19 and F20, that provide the update to version 2.1
of the ca-certificates list, and which also include the new ca-legacy
utility and configuration mechanism, have been pushed to
updates-testing:
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20
Kai
More information about the devel
mailing list