ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys
kaie at kuix.de
Fri Oct 31 15:28:29 UTC 2014
On Fri, 2014-10-31 at 15:00 +0100, Nikos Mavrogiannopoulos wrote:
> > Sorry for my late reply, because I didn't have a good suggestion
> > earlier.
> > We should work with the upstream OpenSSL and the GnuTLS projects, and
> > motivate them to implement more advanced path building. This would be a
> > long term project.
> Is there some issue with gnutls in F21? As far as I understand it should
> work as expected with the certificates removed.
I confirm that using GnuTLS 3.3.9-2.fc21 on Fedora 21 testing,
and ca-legacy set to disabled,
gnutls-cli -p443 www.amazon.com
reports a trusted certificate.
That's great, thanks Nikos for fixing it in the newer GnuTLS on Fedora
(Just for the record, using gnutls 3.1.27 on Fedora 20, and a scratch
build of the new ca-certificates package, and set to disabled, the
certificate is still rejected, which I understand is because of the
older GnuTLS version.)
If anyone can still see problems with GnuTLS and the above configuration
(disable) on Fedora 21, please let us know which site has the issue.
This means, the remaining package that needs fixing is OpenSSL.
More information about the devel