On Fri, 5 Sep 2014, Daniel Stenberg wrote:
Just for information to all: Mozilla has recently removed weak certs from the CA certs bundle. Weak, in the meaning that they used 1024 bit RSA.
Okay, I've now been educated a bit more on this. (One of these days I'll know a whole lot about TLS!)
With the use of "path discovery" as per RFC 4158, this removal is not supposed to cause any problems. If I understand things correctly (that's a pretty big if).
The only thing here is that OpenSSL and GnuTLS don't do this - at least not on this ca cert bundle download. And older NSS doesn't either. I bet a lot of the other TLS libs are in a similar situation.
So, partial breakage and tears to be expected with using this ca cert bundle...
SHA-1 certs are planned to get ditched by 2017[*] and will drive the stick further in.
[*] = https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2-R4XziFc7A/discussion[1-25-false]
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
