ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

[Kai Engert]

On Mon, 2014-09-08 at 12:53 +0200, Vít Ondruch wrote:
> > I believe that we must contact Amazon and Symantec about this issue.
> > Amazon should remove the second intermediate, ending the path with the
> > G5 intermediate. This will allow openssl to find the trusted root CA.
> >
> > Also, Symantec should reach out to all of their customers and tell them
> > you update their configuration.
> >
> > I will contact them.
> 
> Great! Thanks. Should I open ticket against ca-certificates to keep
> track about this issue?

There was a short discussion here:
https://bugzilla.mozilla.org/show_bug.cgi?id=986005#c4

In this particular case, because it works with NSS/Firefox, the admins
don't think it's necessary to reconfigure?

I think it doesn't help to track the issue with this particular web
site. I've been told this is a default configuration, which had been
recommended by the CA to the customers for a long time, in order to
achieve maximum compatibility with clients. So it's unlikely to get all
sites changed, for two reasons, worry of site admins to break
compatibility, and the fact that it's unrealistic to reach and convince
all site admins.

This means, we'll either have to find a software solution (such as
getting gnutls/openssl enhanced to construct alternative chains), or
wait with weak 1024-bit removals by default, until all involved server
certificates have expired, which would be very unfortunate (and which
might take several years, because of the transitioning trick, that
causes recently issued certificates to appear to have been issued by
both the weak legacy and stronger replacement root ca cert).

Kai