ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Nikos Mavrogiannopoulos nmav at
Fri Oct 31 14:53:23 UTC 2014

On Fri, 2014-10-31 at 09:49 -0500, Michael Catanzaro wrote:
> > > We should work with the upstream OpenSSL and the GnuTLS projects,
> > and
> > > motivate them to implement more advanced path building. This would
> > be a
> > > long term project.
> > Is there some issue with gnutls in F21? As far as I understand it
> > should
> > work as expected with the certificates removed.
> It works as expected in the sense that GnuTLS can no longer handle major
> web sites like Amazon and Kickstarter, this being the natural
> consequence of removing a root before the certificates issued by it have
> expired....

Are you sure that this is the case with the current package? My F21 can
no longer connect to network to test, but gnutls in it should
reconstruct the chain similarly to what nss does (not very similarly to
be precise but the end result should be the same). If it is not the case
please report it as bug and I'll check it out.


More information about the devel mailing list