ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Michael Catanzaro mcatanzaro at
Fri Oct 31 14:49:21 UTC 2014

On Fri, 2014-10-31 at 15:00 +0100, Nikos Mavrogiannopoulos wrote:
> > We should work with the upstream OpenSSL and the GnuTLS projects,
> and
> > motivate them to implement more advanced path building. This would
> be a
> > long term project.
> Is there some issue with gnutls in F21? As far as I understand it
> should
> work as expected with the certificates removed.

It works as expected in the sense that GnuTLS can no longer handle major
web sites like Amazon and Kickstarter, this being the natural
consequence of removing a root before the certificates issued by it have
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the devel mailing list