On 17/12/16 17:05, Nicolas Chauvet wrote:
Maybe we need to rename FUTURE by QUITE_SOON instead, because the
error you have pointed is about sha-1 been deprecated:
According to this blog, chrome will remove support for sha-1
certificates on 1 January 2017 (it's an old post, so I don't know if
it's still current).
https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-i...
the getfedora certificates is signed with sha-256, but the root CA has
signed the intermediate certificate with sha-1. That the issue.
As far as I can see both the intermediate and leaf certificates have
SHA-256 signatures. It is only the root certificate that has an SHA-1
signature and that will still be allowed by chrome - to quote that blog
post:
"At this point, sites that have a SHA-1-based signature as part of the
certificate chain (not including the self-signature on the root
certificate) will trigger a fatal network error.
So the self signature on the root certificate can still be SHA-1 because
that certificate is in the root set and hence is valid simply by
existing and it's signature algorithm doesn't really matter.
Tom
--
Tom Hughes (tom(a)compton.nu)
http://compton.nu/