Date: Sun, 29 Mar 2015 15:47:34 +0200 From: Michael Gmelin <freebsd@grem.de> To: "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org> Subject: ca_root_nss and MD5 root certs Message-ID: <20150329154734.12cc6201@bsd64.grem.de>
next in thread | raw e-mail | index | archive | help
I noticed that recent versions of ca_root_nss removed root certificates that use an MD5 signature hash. Even though I think is is the Right Thing(tm) to do, it leads to problems when talking to systems that use certificates signed by one of those root CAs. Unfortunately there seem to be a lot of systems out there that rely on such a certificate, especially this one: 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com These sites still work in Chrome, I'm not certain what they're doing to verify. It's a bit problematic, as updating ca_root_nss effectively cuts one off other systems and APIs. Is there any recommended workaround (other than manually adding the root and locking the package)? Thanks, Michael -- Michael Gmelin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150329154734.12cc6201>