ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Mon Sep 8 14:00:44 UTC 2014

On Mon, 2014-09-08 at 10:06 +0200, Nikos Mavrogiannopoulos wrote:
> Unfortunately only NSS works. Both openssl and gnutls fail to connect to
> popular sites because of that change. It should not be assumed that the
> users of ca-certificates are only programs using nss.

[1] is an interesting read. I get the impression that certificates are
being removed as long as there is a compatible replacement that NSS can
validate, based on NSS's custom strategies for certificate validation.
Is this claim accurate?

This is a very big problem for the GNOME stack, which uses gnutls. We're
getting complaints about sites that Epiphany can't display because the
CSS fails certificate validation, or sites that don't display at all,
which all work fine in Firefox.

> I guess this is verification based on the rfc5280 path validation.
> Unlike that NSS ignores the provided trust chain and tries to construct
> a new one internally. That's interesting and happens to work around the
> issue here but it is not and must not be required for all software to
> reconstruct trust chains. The TLS is very specific on that issue, the
> chain is provided by the server.

From my perspective as an application developer who wants the Internet
to "just work," and where proper functionality is defined as "whatever
Firefox and Chrome do"... any deviation from NSS's behavior is
problematic. :/ I know this is unfortunate but that's the reality of the
Internet. We have a partially-finished port of glib-networking from
gnutls to NSS, I guess for this reason.

Intermediate cert caching is another big pain point. My university ran
an important site for years without a chain of trust, and kept closing
my issue reports until I realized that they were using Firefox to
validate their chain of trust, and the cert that had signed the only one
they were sending was cached for them. This behavior is harmful not just
to other browsers, but also to Firefox users who happen to not have that
certificate cached yet.

> I do not agree. Such changes are dangerous to be performed on a stable
> release, and may introduce more issues than solve. Ca-certificates
> should not assume that NSS is its only user. That is either (1) it
> should include the trusted certificates that are still in wild use, or
> (2) it should include the intermediates of the trusted certificates that
> are in use.

I think (2) is what they're trying to do in [1], but it looks like this
relies on NSS-specific behavior. (And I'm aware that [1] is just one
case out of many.)

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=986014
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140908/15531a78/attachment.sig>