https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201831
Jan Beich <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |Works As Intended Status|New |Closed URL| |https://blog.mozilla.org/se | |curity/2015/01/28/phase-2-p | |hasing-out-certificates-wit | |h-1024-bit-rsa-keys/ Flags|maintainer-feedback?(gecko@ |maintainer-feedback+ |FreeBSD.org) | --- Comment #1 from Jan Beich <[email protected]> --- Mozilla removed Thawte Premium Server CA because it uses 1024 RSA key size. If you really want such roots try using CKBI 1.98 flavor. It works fine with OpenSSL 1.0.1p on 11.0-CURRENT or security/openssl port. openssl(1) there also no longer requires -CAfile to verify certs by default. $ openssl s_client -connect 212.158.160.124:443 CONNECTED(00000003) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify return:1 depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2 verify return:1 depth=0 CN = www.tradesoft.ru verify return:1 --- Certificate chain 0 s:/CN=www.tradesoft.ru i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected] 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected] i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected] --- -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-gecko To unsubscribe, send any mail to "[email protected]"
