ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Michael Catanzaro mcatanzaro at
Fri Oct 31 17:44:17 UTC 2014

On Fri, 2014-10-31 at 16:28 +0100, Kai Engert wrote:
> I confirm that using GnuTLS 3.3.9-2.fc21 on Fedora 21 testing, 
> with ca-certificates-2014.2.1-1.3.fc21,
> and ca-legacy set to disabled,
> the command
>   gnutls-cli -p443
> reports a trusted certificate.

This isn't a recent change, see [1]. I presume Amazon is most likely
still broken in Epiphany (when these roots are removed) as there's been
no action on [1], where we decided that gnutls-cli accepted because it uses certs if they're valid for either email
or TLS, whereas GLib only uses certs if they're valid for TLS.

Note that due to CDN magic, sites like Amazon load lots of subresources
like images and CSS over connections using unrelated certs, so a more
reliable test is to actually open the web page in a browser.

P.S. To both Kai and Nikos: thanks for all your effort on this matter. A
couple months ago I was quite worried, but now I expect things will turn
out fine.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the devel mailing list