Expired CAs causing testsuite failures

Dr Andrew John Hughes ahughes at redhat.com
Thu Sep 2 03:54:47 PDT 2010 

On 21:59 Wed 01 Sep     , DJ Lucas wrote:
> Guys, just a heads up, not sure if any of you are responsible for
> maintaining the CAs for your respective distros, but I found that
> upstream Mozilla has two certs that cause issues with jtreg in
> nss-3.12.7.0 (though they still exist in mozilla-central for 3.12.8.0).
>  I had removed expired ones previously, but found a new one and still
> the Equifax one when I updated tonight.  Those are the certs with
> OpenSSL-1.0 hash of 8f111d69 and f2cce23a, with the following header
> information (resp):
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 66 (0x42)
>         Signature Algorithm: md5WithRSAEncryption
>         Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
> eBusiness CA-1
>         Validity
>             Not Before: Jul 31 00:00:01 2004 GMT
>             Not After : Sep  2 00:00:01 2004 GMT
>         Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
> 

I think the Equifax expiry might explain why I've seen issues downloading
the JAXP and JAXWS bundles from dev.java.net.

> and
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 961510791 (0x394f7d87)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=WW, O=beTRUSTed, CN=beTRUSTed Root CAs, CN=beTRUSTed
> Root CA
>         Validity
>             Not Before: Jun 20 14:21:04 2000 GMT
>             Not After : Jun 20 13:21:04 2010 GMT
>         Subject: C=WW, O=beTRUSTed, CN=beTRUSTed Root CAs, CN=beTRUSTed
> Root CA
> 
> Not sure whether they should be blindly removed (but I'd assume so).
> The Jun 20, 2010 is understandable (nss-3.12.7 was released prior to
> expiration).  As soon as I figure out where to send, I will send an
> inquiry upstream, but just wanted to give you all a heads up about
> possible testsuite failures as a result of those expired CAs if you or
> your distros are pulling your CAs from Mozilla.
> 
> -- DJ Lucas
> 
> -- 
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.
> 

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list