ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Nikos Mavrogiannopoulos nmav at
Fri Oct 31 19:37:16 UTC 2014

----- Original Message -----
> This isn't a recent change, see [1]. I presume Amazon is most likely
> still broken in Epiphany (when these roots are removed) as there's been
> no action on [1], where we decided that gnutls-cli accepted
> because it uses certs if they're valid for either email
> or TLS, whereas GLib only uses certs if they're valid for TLS.
> Note that due to CDN magic, sites like Amazon load lots of subresources
> like images and CSS over connections using unrelated certs, so a more
> reliable test is to actually open the web page in a browser.
> [1]

I've reassigned the original bug to gnutls and closed with next release (F21). A fix for F20 is very hard to occur and would most probably introduce unncessary issues. If anything remains, feel free to reopen with more information. 


More information about the devel mailing list