cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: RSA1024 cacert cleanups

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 5 Sep 2014 08:55:11 +0200 (CEST)

On Fri, 5 Sep 2014, Daniel Stenberg wrote:

> Just for information to all: Mozilla has recently removed weak certs from
> the CA certs bundle. Weak, in the meaning that they used 1024 bit RSA.

Okay, I've now been educated a bit more on this. (One of these days I'll know
a whole lot about TLS!)

With the use of "path discovery" as per RFC 4158, this removal is not supposed
to cause any problems. If I understand things correctly (that's a pretty big
if).

The only thing here is that OpenSSL and GnuTLS don't do this - at least not on
this ca cert bundle download. And older NSS doesn't either. I bet a lot of the
other TLS libs are in a similar situation.

So, partial breakage and tears to be expected with using this ca cert
bundle...

SHA-1 certs are planned to get ditched by 2017[*] and will drive the stick
further in.

[*] =
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2-R4XziFc7A/discussion[1-25-false]

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-05