So it seems "Equifax Secure Certificate Authority" is still present in the latest ca-certificates package. Presumably once Mozilla removes it we will issue an updated ca-certificates package.
However, removing it still allows google to validate: $ sudo rm /usr/lib/ssl/certs/Equifax_Secure_CA.pem $ openssl s_client -quiet -verify_return_error -connect google.com:443 -CApath /usr/lib/ssl/certs depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com verify return:1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1565293 Title: OpenSSL 1.0.1 fails to recognize cross-signed roots as trusted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1565293/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
