ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Eric H. Christensen sparks at fedoraproject.org
Tue Aug 26 15:00:24 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, Aug 26, 2014 at 12:36:47PM +0200, Vít Ondruch wrote:
> $ gem fetch power_assert
> ERROR:  Could not find a valid gem 'power_assert' (>= 0), here is why:
>           Unable to download data from https://rubygems.org/ -
> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
> certificate verify failed
> (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz)
> 
> 
> Upstream RubyGems ships the certificates, but on your request, I removed
> the bundled certificates [1]. Now, 3 months later are RubyGems broken in
> F21+ due to this update. Luckily, I have never backported this commit to
> F20, so this particular update is not harmful for stable Fedora release,
> but what am I supposed to do with F21+?
> 
> I don't feel like contacting Amazon. You claim that nothing should break
> and Mozilla contacted everybody, so why not Amazon? Are they so negligible?
> 
> Should I follow your advises or follow upstream? Sorry, but this puzzles
> me ...


Hmmm, according to SSLLabs[0] rubygems.org is using a 2048-bit certificate and chains all the way up to the CA with 2048-bit certificate.  The s3.amazonaws.com URL also uses a 2048-bit cert and chains up to the CA with 2048-bit certs as well.  If the "fix" to the CA trust file only removed CAs with weak (<2048-bit) certificates it would appear that the breakage you see wouldn't be affected by this.

Out of curisity, did certificate verification get turned on in the F21 version?

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project

sparks at fedoraproject.org - sparks at redhat.com
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJT/KEGAAoJEB/kgVGp2CYv0UoL/2xSiic1najZuVsrCNMkmbkm
cH/7v/r9NAFFm0+yqjyl7Z1yweOb/VFIKTqBp2WuxEP2JFrclc/8MwG7vGymjDra
7wPxj+vF3vebHDWKW5MU6QFIE7LdumYTRqty5sSX/BfoFZIf1ZNI2zLPd5HglS+e
A+KjfSHjRChUIdobD/hDqxdJc36h3w1rUMzqx/lywpNxWsL56JpxqjT139O8C9xA
qIIdnjZJUtE2xK78rnRFjWgRZkUj2M2rjJfTpYwwcofsVkyNeh1nlTcmXnLyOyw3
zNoy8CpmfMFAOiVq6JZTl3gL77k76AjdnJ3Q+tT1uxZTx0lSxZz44iSB9s50ZLDb
rR7lG08Je3kuk6S5afIeoo8PtFlQpxBVam1pBMiLjMXjCQP4VB2YldG2PBBuWIoz
dyvDXjlSGJwDHjJRjw1tmN5VijqDjDIrAhDsm0ddzl2b9ZlfdqF5QHF50vA56lbG
iCVd4QtM/eUGrx5nkn0sprhll2XIZZ+2jXNnRZEkTQ==
=5t+O
-----END PGP SIGNATURE-----

More information about the devel mailing list