On 17/12/16 17:05, Nicolas Chauvet wrote:
Maybe we need to rename FUTURE by QUITE_SOON instead, because the error you have pointed is about sha-1 been deprecated: According to this blog, chrome will remove support for sha-1 certificates on 1 January 2017 (it's an old post, so I don't know if it's still current). https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html the getfedora certificates is signed with sha-256, but the root CA has signed the intermediate certificate with sha-1. That the issue.
As far as I can see both the intermediate and leaf certificates have SHA-256 signatures. It is only the root certificate that has an SHA-1 signature and that will still be allowed by chrome - to quote that blog post:
"At this point, sites that have a SHA-1-based signature as part of the certificate chain (not including the self-signature on the root certificate) will trigger a fatal network error.
So the self signature on the root certificate can still be SHA-1 because that certificate is in the root set and hence is valid simply by existing and it's signature algorithm doesn't really matter.
Tom -- Tom Hughes (tom@xxxxxxxxxx) http://compton.nu/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
