update on ca-certificates, introducing the ca-legacy utility

Stephen Gallagher sgallagh at redhat.com
Fri Nov 21 15:45:55 UTC 2014

On Fri, 2014-11-21 at 14:03 +0100, Kai Engert wrote:
> On Fri, 2014-10-31 at 14:05 +0100, Kai Engert wrote:
> > All legacy root CA certificates, which seem to be required for full
> > compatibility with either OpenSSL or GnuTLS, will continue to be
> > included and enabled in the ca-certificates package.
> > 
> > For users who are willing to accept the breakage and prefer using the
> > latest trust, only, we provide a mechanism to disable the legacy trust.
> > 
> > I've described the proposed approach in more detail at
> > https://bugzilla.redhat.com/show_bug.cgi?id=1158197
> > 
> > I've pushed experimental packages with this implementation to Rawhide
> > and updates-testing for Fedora 21. I have disabled the karma automatism,
> > because I'll be offline for the next 2 weeks, and don't want things to
> > go live while I'm away. I think it will be helpful to collect test
> > feedback during that time, and see if it's suitable, and make a
> > ship/no-ship decision of this approach later.
> In the meantime, while I was on vacation, the above has been
> (accidentally) pushed as a stable update for Fedora 21 already:
>     ca-certificates-2014.2.1-1.5.fc21.noarch
> It seems it will be included in the final release of Fedora 21. Given
> that we keep legacy trust enabled, and given that I haven't seen any
> problem reports, it's probably OK.
> Using the new ca-legacy utility, users/administrators who are willing to
> accept the compatibility issues and who prefer to closely follow the
> Mozilla CA trust decisions, can disable trust for the legacy root CA
> certificates as a systemwide configuration, by executing this command as
> root:
>   ca-legacy disable
> The configuration will be remembered in /etc/pki/ca-trust/ca-legacy.conf
> and will be used on future package upgrades, when additional
> certificates are moved to the legacy state.
> If required, it's possible to undo the configuration and restore to the
> current default, using:
>   ca-legacy enable
> The current configuration can be shown using:
>   ca-legacy check
> Regarding Fedora 19 and Fedora 20:
> On F19/F20, GnuTLS is also affected by the breakage, when disabling
> trust for the legacy CAs, because GnuTLS has been enhanced in Fedora 21
> and later, only.
> Updated packages for F19 and F20, that provide the update to version 2.1
> of the ca-certificates list, and which also include the new ca-legacy
> utility and configuration mechanism, have been pushed to
> updates-testing:
> https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19
> https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20
> Kai

Kai, this is very important information buried at the bottom of a long
email thread; would you mind re-sending this summary in a new thread
(also to devel-announce) so that people are sure to see it?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141121/9e19ed5b/attachment.sig>

More information about the devel mailing list