Hello, this is a heads-up for an update to the ca-certificates package that I've just submitted for updates-testing for Fedora 19 and 20. The upstream Mozilla CA list maintainers have decided to start removing CA certificates that use a weak 1024-bit key. Although those certificates are still valid, Mozilla has worked with the CAs, and they did agree that it's OK to remove them. However, there are end-entity and intermediate-CA certificates which have been issued by the removed CAs, which are still valid, and they might still be used by some - despite the CAs having attempted to reach out to all their customers and getting them to reconfigure their systems. This means, when installing the updated ca-certificates package version 2014.2.1, some SSL/TLS connections might suddenly fail, because the related CA certificate is no longer trusted. If you experience such situations, the right approach is to contact the owner of the certificate (or the server), and ask them to get a replacement certificate, or to install a replacement certificate on their SSL/TLS server. Additional details can be found in the update description, which I'll paste at the end of this message. (I have disabled karma-automation for this update, in case there's a need for a longer testing period. Note that this updated set of CA certificates is currently planned to be part of Firefox 32, which will get released around SEP 02.) Regards Kai Update description: =================== This is an update to the latest released set of CA certificates according to the Mozilla CA Policy. It's the same set that has been released in NSS versions 3.16.4 and 3.17. It's noteworthy that several CA certificates with a weak key size of 1024-bits have been removed, prior to their expiration. (It is expected that additional CA certificates with weak 1024-bit keys will be removed in future releases.) The removed CA certificates have been used to issue end-entity and intermediate-CA certificates which are still valid. Those certificates are likely to be rejected when using this upated ca-certificates package. The owners of affected certificates should contact their CA and ask for replacement certificates. In some scenarios it might be sufficient to install an alternative intermediate CA certificate (e.g. on a TLS server), allowing an alternative trust chain to another root CA certificate to be found. More information about the affected CA certificates and other recent modifications can be found in the NSS release notes for version 3.16.3 at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes with amendments to the changes as explained in the NSS release notes for version 3.16.4 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.4_release_notes -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
