[Pkg-openssl-devel] Bug#774882: openssl: fail to verify some sites when 1024bit root CAs removed

Christian Seiler christian at iwakd.de
Mon Mar 28 16:57:59 UTC 2016


Control: block 812708 by -1
Control: severity -1 important

Hi,

I wanted to ask if there's any progress on this? Since 1024bit root CAs
were removed from ca-certificates in January this year, this has become
a real issue, since openssl-based software won't accept some valid
certificate chains anymore. This is especially bad, since those sites
continue to keep the 1024bit root CA as the final entry of the chain
for compatibility with older software, and no other SSL implementation
has a problem with that (especially browsers).

For example, this breaks curl with those sites, which is used in a
large variety of contexts, especially scripting languages. This might
lead some people to disable certificate checking altogether because
they don't know how to fix this, which is _much_ worse than keeping
1024 bit CAs in the root store.

Regards,
Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20160328/61bf9ce5/attachment.sig>


More information about the Pkg-openssl-devel mailing list