[Melbourne-pm] Mozilla::CA

Toby Corkindale toby.corkindale at strategicdata.com.au
Wed May 6 16:46:30 PDT 2015


Thanks for that link, Kal.

The RHEL solution (re-adding the 1024-bit certs) was discussed on the CPAN Mozilla::CA package, but the maintainer and others are *not* re-adding the certs, sadly.
So we can look forward to another couple of years of constant CPAN test failures until distros with newer openssl/libressl/gnutls arrive
:/

T

----- Original Message -----
> From: "Kahlil Hodgson" <kahlil.hodgson at dealmax.com.au>
> To: "Toby Corkindale" <toby.corkindale at strategicdata.com.au>
> Sent: Thursday, 7 May, 2015 9:34:39 AM
> Subject: Re: [Melbourne-pm] Mozilla::CA
> 
> Hi Toby,
> 
> Belated thanks for the info;-)
> 
> Discovered the following link to RedHat's response to this issue
> https://access.redhat.com/articles/1413643 which you may find
> interesting.
> 
> Cheers,
> 
> Kal
> 
> On 8 April 2015 at 10:21, Toby Corkindale
> <toby.corkindale at strategicdata.com.au> wrote:
> > Hi Kahlil,
> > There's some discussion in here: https://github.com/gisle/mozilla-ca/pull/5
> >
> > The issue is that it has removed some CAs that were still using 1024-bit
> > RSA, rather than stronger levels.
> > The actual Mozilla browser has the ability to still get around this some
> > how, but not so much in libssl < 1.0.2.
> >
> > It does sound like some of these websites really should upgrade their own
> > certs, as the ultimate proper fix, but unfortunately in the meantime a lot
> > of things are breaking :(
> >
> > Toby
> >
> > ----- Original Message -----
> >> From: "Kahlil Hodgson" <kahlil.hodgson at dealmax.com.au>
> >> To: "Toby Corkindale" <toby.corkindale at strategicdata.com.au>
> >> Sent: Wednesday, 8 April, 2015 8:27:34 AM
> >> Subject: Re: [Melbourne-pm] Mozilla::CA
> >>
> >> Thanks for the heads up Toby.
> >>
> >> Any idea why the CAs were removed?  Was this because of SHA1 issues?
> >> If this is a legitimate removal, should we be trusting services that
> >> still use them? <looking at you AWS>
> >>
> >> On 7 April 2015 at 17:44, Toby Corkindale
> >> <toby.corkindale at strategicdata.com.au> wrote:
> >> > And updated to say.. apparently it's kind of a bug or missing feature in
> >> > OpenSSL that causes the failures once these certs went away; but if
> >> > you're
> >> > running the latest, greatest version of openssl[1] then you can pass a
> >> > flag to it to get it to work[2].
> >>
> >> So its not a problem with Mozilla::CA?  Do you have any links to the
> >> openssl bug/feature/options you are referring to?
> >>
> >> > 1: But you won't be running it; even ubuntu 15.04 is still shipping
> >> > 1.0.1
> >> > 2: But you won't be, because this will be something in IO::Socket::SSL
> >> > or
> >> > similar and out of your control
> >>
> >> Might be lucky and have a distro that backports the option to
> >> openssl-1.0.1 or patches IO::Socket::SSL


More information about the Melbourne-pm mailing list