[Pkg-openssl-devel] Bug#774882: openssl: fail to verify some sites when 1024bit root CAs removed
Hiroyuki YAMAMORI
h-yamamo at db3.so-net.ne.jp
Thu Jan 8 15:24:03 UTC 2015
Package: openssl
Version: 1.0.1j-1
Severity: normal
Dear Maintainer,
To avoid security weakness, when 1024-bit RSA root CAs removed,
verify error occurs in some sites with cross root CA.
I've seen following,
https://bugzilla.mozilla.org/show_bug.cgi?id=986005#c4
And fixed patch is following,
http://rt.openssl.org/Ticket/Display.html?id=3637&user=guest&pass=guest
[PATCH] x509: skip certs if in alternative cert chain
I've test this patch. No issues were found.
My tests are following.
1) build openssl packages that applied the patch and install these.
2) remove root CAs in /usr/share/ca-certificates/mozilla/
Equifax_Secure_*.crt
GTE_CyberTrust_Global_Root.crt
Thawte_*.crt
Verisign_Class_3_Public_Primary_Certification_Authority.crt
Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
3) [strace] openssl s_client -CApath /etc/ssl/certs -showcerts -connect s3.amazonaws.com:443
test other sites, e.g. www.debian.org, www.geotrust.co.jp, dinahosting.com
Thank you.
--
Hiroyuki YAMAMORI
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.19-13
ii libssl1.0.0 1.0.1j-1+p1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20141019
-- no debconf information
More information about the Pkg-openssl-devel
mailing list