Connecting to some sites via glib-networking is broken due to removed certificates
Bug #1469803 reported by
Iain Lane
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ca-certificates (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Bug Description
See
https:/
https:/
- this situation still exists in the wild (e.g. Facebook's CDN), but our ca-certificates package has dropped these certs, as of 20150426.
For example run the attached script on wily or try to use Facebook in epiphany.
Fedora have kept some of these certificates and called them "legacy" - I suggest that we could do the same, at least until glib-networking is fixed.
Related branches
Revision history for this message
| Iain Lane (laney) wrote | #1 |
| Changed in ca-certificates (Ubuntu): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in ca-certificates (Ubuntu): | |
| status: | New → Fix Released |
To post a comment you must log in.
This bug was fixed in the package ca-certificates - 20150426ubuntu1
---------------
ca-certificates (20150426ubuntu1) wily; urgency=medium
* mozilla-1024/*, Makefile: Since version 20140927 of the ca-certificates
package, containing the 2.1 version of the nss database, CA
certificates with 1024-bit RSA keys have been removed. Unfortunately,
older versions of libraries such as OpenSSL, GnuTLS and glib-networking
are unable to automatically find alternative trust chains to continue
connecting to certain sites. This update restores the certificates
until all libraries have been updated to properly handle alternative
trust chains. See mozilla-
certificates that were added back. (LP: #1469803)
-- Marc Deslauriers <email address hidden> Mon, 13 Jul 2015 11:10:03 -0400