Expired CAs causing testsuite failures
Pavel Tisnovsky
ptisnovs at redhat.com
Thu Sep 2 01:01:56 PDT 2010
DJ Lucas wrote:
> Guys, just a heads up, not sure if any of you are responsible for
> maintaining the CAs for your respective distros, but I found that
> upstream Mozilla has two certs that cause issues with jtreg in
> nss-3.12.7.0 (though they still exist in mozilla-central for 3.12.8.0).
> I had removed expired ones previously, but found a new one and still
> the Equifax one when I updated tonight. Those are the certs with
> OpenSSL-1.0 hash of 8f111d69 and f2cce23a, with the following header
> information (resp):
DJ Lucas,
thanks for this important information. I'm going to look from what data
certificates are generated on Fedoras and RHELs.
Pavel
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 66 (0x42)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
> eBusiness CA-1
> Validity
> Not Before: Jul 31 00:00:01 2004 GMT
> Not After : Sep 2 00:00:01 2004 GMT
> Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
>
> and
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 961510791 (0x394f7d87)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=WW, O=beTRUSTed, CN=beTRUSTed Root CAs, CN=beTRUSTed
> Root CA
> Validity
> Not Before: Jun 20 14:21:04 2000 GMT
> Not After : Jun 20 13:21:04 2010 GMT
> Subject: C=WW, O=beTRUSTed, CN=beTRUSTed Root CAs, CN=beTRUSTed
> Root CA
>
> Not sure whether they should be blindly removed (but I'd assume so).
> The Jun 20, 2010 is understandable (nss-3.12.7 was released prior to
> expiration). As soon as I figure out where to send, I will send an
> inquiry upstream, but just wanted to give you all a heads up about
> possible testsuite failures as a result of those expired CAs if you or
> your distros are pulling your CAs from Mozilla.
>
> -- DJ Lucas
>
More information about the distro-pkg-dev
mailing list