cURL / Mailing Lists / curl-library / Single Mail

curl-library

RSA1024 cacert cleanups

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 5 Sep 2014 08:02:16 +0200 (CEST)

Hey all,

Just for information to all: Mozilla has recently removed weak certs from the
CA certs bundle. Weak, in the meaning that they used 1024 bit RSA.

If you download the latest cacert bundle from the curl site
(http://curl.haxx.se/docs/caextract.html) right now, you'll see that
s3.amazonaws.com sites no longer gets verified fine. I guess that it goes for
a few other sites too.

References:

Blogged by Kai Engert here:
   https://kuix.de/blog/index.php?entry=Cleanup-of-1024-bit-CA-certificates

The removed certs are somewhat detailed in the recent NSS release notes:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.4_release_notes

Finally: while I am employed by Mozilla I am not at all involed in the CA cert
work.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-05