Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1144808

Summary: Temporarily re-enable several weak CA certificates until a better solution for openssl/gnutls can be found
Product: [Fedora] Fedora Reporter: Kai Engert (:kaie) (inactive account) <kengert>
Component: ca-certificatesAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: jorton, kengert, pwouters, tmraz, yuhongbao_386
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ca-certificates-2014.2.1-1.1.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-27 09:59:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1158197    
Attachments:
Description Flags
certdata 1.98, from NSS 3.16.2, which had old roots still trusted
none
certdata 2.1, from NSS 3.16.4, which removed trust for several legacy roots
none
non-upstream version, based on certdata 2.1, with several legacy roots re-enabled none

Description Kai Engert (:kaie) (inactive account) 2014-09-21 08:20:59 UTC 
The upstream Mozilla CA certificates list version 2.1, as released by Mozilla with NSS 3.16.4, removed trust for several old roots, which are considered to have weak keys.

The related upstream bugs are:
https://bugzilla.mozilla.org/show_bug.cgi?id=936304
https://bugzilla.mozilla.org/show_bug.cgi?id=986005

Unfortunately we see issues with software that uses OpenSSL/GnuTLS after these removals with many popular web sites.

The issue is that web sites may be configured to send multiple intermediate CA certificates, intended for maximum compatibility with client software. One intermediate points to one of the removed CA certificates, and another second points to a newer root. The problem is that OpenSSL/GnuTLS don't search for an alternative trusted root, after being unable to construct a trust chain for the topmost intermediate CA certificate sent by the servers.

In order to allow more time to implement enhancements or workarounds, the CA-certificates package will temporarily add back trust to the related root CA certificates.
Comment 1 Kai Engert (:kaie) (inactive account) 2014-09-21 08:25:45 UTC 
This will be done for Fedora 21 and Rawhide (22), which had already picked up these changes for everyone.

In addition, it will be done for Fedora 19 and 20, which so far had these changes only in updates-testing. Adding this change will allow us to ship the other new changes to the stable 19/20 distributions.
Comment 2 Kai Engert (:kaie) (inactive account) 2014-09-21 08:26:16 UTC 
I'm adding several files to allow for tracking and review of these changes.
Comment 3 Kai Engert (:kaie) (inactive account) 2014-09-21 08:27:40 UTC 
Created attachment 939722 [details]
certdata 1.98, from NSS 3.16.2, which had old roots still trusted
Comment 4 Kai Engert (:kaie) (inactive account) 2014-09-21 08:28:26 UTC 
Created attachment 939723 [details]
certdata 2.1, from NSS 3.16.4, which removed trust for several legacy roots
Comment 5 Kai Engert (:kaie) (inactive account) 2014-09-21 08:29:36 UTC 
Created attachment 939724 [details]
non-upstream version, based on certdata 2.1, with several legacy roots re-enabled
Comment 6 Fedora Update System 2014-09-21 08:53:36 UTC 
ca-certificates-2014.2.1-1.1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.1.fc21
Comment 7 Fedora Update System 2014-09-24 15:45:27 UTC 
Package ca-certificates-2014.2.1-1.1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ca-certificates-2014.2.1-1.1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-11172/ca-certificates-2014.2.1-1.1.fc21
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2014-09-27 09:59:08 UTC 
ca-certificates-2014.2.1-1.1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Yuhong Bao 2014-12-29 19:00:03 UTC 
As a warning, the Equifax root expires in August 2018 and hopefully will removed from Mozilla soon. Right now GeoTrust is still promoting the use of their GeoTrust to Equifax cross-certificate, and they do issue four year certificates.