ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Vít Ondruch vondruch at redhat.com
Tue Aug 26 10:36:47 UTC 2014 

Hi Kay,

This update has potential to break RubyGems with error:


$ gem fetch power_assert
ERROR:  Could not find a valid gem 'power_assert' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ -
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
(https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz)


Upstream RubyGems ships the certificates, but on your request, I removed
the bundled certificates [1]. Now, 3 months later are RubyGems broken in
F21+ due to this update. Luckily, I have never backported this commit to
F20, so this particular update is not harmful for stable Fedora release,
but what am I supposed to do with F21+?

I don't feel like contacting Amazon. You claim that nothing should break
and Mozilla contacted everybody, so why not Amazon? Are they so negligible?

Should I follow your advises or follow upstream? Sorry, but this puzzles
me ...



Vít



[1]
http://pkgs.fedoraproject.org/cgit/ruby.git/commit/?id=efdf386e3192775d84b69006d3bc12d5532455d2




Dne 18.8.2014 23:48, Kai Engert napsal(a):
> Hello,
>
> this is a heads-up for an update to the ca-certificates package that
> I've just submitted for updates-testing for Fedora 19 and 20.
>
> The upstream Mozilla CA list maintainers have decided to start removing
> CA certificates that use a weak 1024-bit key. Although those
> certificates are still valid, Mozilla has worked with the CAs, and they
> did agree that it's OK to remove them.
>
> However, there are end-entity and intermediate-CA certificates which
> have been issued by the removed CAs, which are still valid, and they
> might still be used by some - despite the CAs having attempted to reach
> out to all their customers and getting them to reconfigure their
> systems.
>
> This means, when installing the updated ca-certificates package version
> 2014.2.1, some SSL/TLS connections might suddenly fail, because the
> related CA certificate is no longer trusted.
>
> If you experience such situations, the right approach is to contact the
> owner of the certificate (or the server), and ask them to get a
> replacement certificate, or to install a replacement certificate on
> their SSL/TLS server.
>
> Additional details can be found in the update description, which I'll
> paste at the end of this message.
>
> (I have disabled karma-automation for this update, in case there's a
> need for a longer testing period. Note that this updated set of CA
> certificates is currently planned to be part of Firefox 32, which will
> get released around SEP 02.)
>
> Regards
> Kai
>
>
> Update description:
> ===================
> This is an update to the latest released set of CA certificates
> according to the Mozilla CA Policy. It's the same set that has been
> released in NSS versions 3.16.4 and 3.17.
>
> It's noteworthy that several CA certificates with a weak key size of
> 1024-bits have been removed, prior to their expiration. (It is expected
> that additional CA certificates with weak 1024-bit keys will be removed
> in future releases.)
>
> The removed CA certificates have been used to issue end-entity and
> intermediate-CA certificates which are still valid. Those certificates
> are likely to be rejected when using this upated ca-certificates
> package. The owners of affected certificates should contact their CA and
> ask for replacement certificates. In some scenarios it might be
> sufficient to install an alternative intermediate CA certificate (e.g.
> on a TLS server), allowing an alternative trust chain to another root CA
> certificate to be found.
>
> More information about the affected CA certificates and other recent
> modifications can be found in the NSS release notes for version 3.16.3
> at
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes with amendments to the changes as explained in the NSS release notes for version 3.16.4 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.4_release_notes
>
>

More information about the devel mailing list