Expired CAs causing testsuite failures
DJ Lucas
dj at lucasit.com
Wed Sep 1 19:59:05 PDT 2010
Guys, just a heads up, not sure if any of you are responsible for
maintaining the CAs for your respective distros, but I found that
upstream Mozilla has two certs that cause issues with jtreg in
nss-3.12.7.0 (though they still exist in mozilla-central for 3.12.8.0).
I had removed expired ones previously, but found a new one and still
the Equifax one when I updated tonight. Those are the certs with
OpenSSL-1.0 hash of 8f111d69 and f2cce23a, with the following header
information (resp):
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 66 (0x42)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
eBusiness CA-1
Validity
Not Before: Jul 31 00:00:01 2004 GMT
Not After : Sep 2 00:00:01 2004 GMT
Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
and
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 961510791 (0x394f7d87)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=WW, O=beTRUSTed, CN=beTRUSTed Root CAs, CN=beTRUSTed
Root CA
Validity
Not Before: Jun 20 14:21:04 2000 GMT
Not After : Jun 20 13:21:04 2010 GMT
Subject: C=WW, O=beTRUSTed, CN=beTRUSTed Root CAs, CN=beTRUSTed
Root CA
Not sure whether they should be blindly removed (but I'd assume so).
The Jun 20, 2010 is understandable (nss-3.12.7 was released prior to
expiration). As soon as I figure out where to send, I will send an
inquiry upstream, but just wanted to give you all a heads up about
possible testsuite failures as a result of those expired CAs if you or
your distros are pulling your CAs from Mozilla.
-- DJ Lucas
--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
More information about the distro-pkg-dev
mailing list