1144808 – Temporarily re-enable several weak CA certificates until a better solution for openssl/gnutls can be found

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1144808 - Temporarily re-enable several weak CA certificates until a better solution for openssl/gnutls can be found

Summary: Temporarily re-enable several weak CA certificates until a better solution fo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ca-certificates
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kai Engert (:kaie) (inactive account)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1158197
TreeView+	depends on / blocked

Reported:	2014-09-21 08:20 UTC by Kai Engert (:kaie) (inactive account)
Modified:	2014-12-29 19:00 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ca-certificates-2014.2.1-1.1.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-27 09:59:08 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
certdata 1.98, from NSS 3.16.2, which had old roots still trusted (299.32 KB, application/octet-stream) 2014-09-21 08:27 UTC, Kai Engert (:kaie) (inactive account)	no flags	Details
certdata 2.1, from NSS 3.16.4, which removed trust for several legacy roots (312.51 KB, application/octet-stream) 2014-09-21 08:28 UTC, Kai Engert (:kaie) (inactive account)	no flags	Details
non-upstream version, based on certdata 2.1, with several legacy roots re-enabled (316.89 KB, application/octet-stream) 2014-09-21 08:29 UTC, Kai Engert (:kaie) (inactive account)	no flags	Details
View All

Description Kai Engert (:kaie) (inactive account) 2014-09-21 08:20:59 UTC

The upstream Mozilla CA certificates list version 2.1, as released by Mozilla with NSS 3.16.4, removed trust for several old roots, which are considered to have weak keys.

The related upstream bugs are:
https://bugzilla.mozilla.org/show_bug.cgi?id=936304
https://bugzilla.mozilla.org/show_bug.cgi?id=986005

Unfortunately we see issues with software that uses OpenSSL/GnuTLS after these removals with many popular web sites.

The issue is that web sites may be configured to send multiple intermediate CA certificates, intended for maximum compatibility with client software. One intermediate points to one of the removed CA certificates, and another second points to a newer root. The problem is that OpenSSL/GnuTLS don't search for an alternative trusted root, after being unable to construct a trust chain for the topmost intermediate CA certificate sent by the servers.

In order to allow more time to implement enhancements or workarounds, the CA-certificates package will temporarily add back trust to the related root CA certificates.

Comment 1 Kai Engert (:kaie) (inactive account) 2014-09-21 08:25:45 UTC

This will be done for Fedora 21 and Rawhide (22), which had already picked up these changes for everyone.

In addition, it will be done for Fedora 19 and 20, which so far had these changes only in updates-testing. Adding this change will allow us to ship the other new changes to the stable 19/20 distributions.

Comment 2 Kai Engert (:kaie) (inactive account) 2014-09-21 08:26:16 UTC

I'm adding several files to allow for tracking and review of these changes.

Comment 3 Kai Engert (:kaie) (inactive account) 2014-09-21 08:27:40 UTC

Created attachment 939722 [details]
certdata 1.98, from NSS 3.16.2, which had old roots still trusted

Comment 4 Kai Engert (:kaie) (inactive account) 2014-09-21 08:28:26 UTC

Created attachment 939723 [details]
certdata 2.1, from NSS 3.16.4, which removed trust for several legacy roots

Comment 5 Kai Engert (:kaie) (inactive account) 2014-09-21 08:29:36 UTC

Created attachment 939724 [details]
non-upstream version, based on certdata 2.1, with several legacy roots re-enabled

Comment 6 Fedora Update System 2014-09-21 08:53:36 UTC

ca-certificates-2014.2.1-1.1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.1.fc21

Comment 7 Fedora Update System 2014-09-24 15:45:27 UTC

Package ca-certificates-2014.2.1-1.1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ca-certificates-2014.2.1-1.1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-11172/ca-certificates-2014.2.1-1.1.fc21
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2014-09-27 09:59:08 UTC

ca-certificates-2014.2.1-1.1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Yuhong Bao 2014-12-29 19:00:03 UTC

As a warning, the Equifax root expires in August 2018 and hopefully will removed from Mozilla soon. Right now GeoTrust is still promoting the use of their GeoTrust to Equifax cross-certificate, and they do issue four year certificates.

Note You need to log in before you can comment on or make changes to this bug.