ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Kai Engert kaie at kuix.de
Fri Oct 31 15:28:29 UTC 2014


On Fri, 2014-10-31 at 15:00 +0100, Nikos Mavrogiannopoulos wrote:
> > Sorry for my late reply, because I didn't have a good suggestion
> > earlier.
> > 
> > We should work with the upstream OpenSSL and the GnuTLS projects, and
> > motivate them to implement more advanced path building. This would be a
> > long term project.
> 
> Is there some issue with gnutls in F21? As far as I understand it should
> work as expected with the certificates removed.

I confirm that using GnuTLS 3.3.9-2.fc21 on Fedora 21 testing, 
with ca-certificates-2014.2.1-1.3.fc21,
and ca-legacy set to disabled,
the command
  gnutls-cli -p443 www.amazon.com
reports a trusted certificate.

That's great, thanks Nikos for fixing it in the newer GnuTLS on Fedora
21!

(Just for the record, using gnutls 3.1.27 on Fedora 20, and a scratch
build of the new ca-certificates package, and set to disabled, the
certificate is still rejected, which I understand is because of the
older GnuTLS version.)

If anyone can still see problems with GnuTLS and the above configuration
(disable) on Fedora 21, please let us know which site has the issue.

This means, the remaining package that needs fixing is OpenSSL.

Thanks
Kai




More information about the devel mailing list