Date: Fri, 24 Jul 2015 15:45:59 +0000 From: bugzilla-noreply@freebsd.org To: gecko@FreeBSD.org Subject: [Bug 201831] There is no "Thawte Premium Server CA" in the security/ca_root_nss Message-ID: <bug-201831-21738-KA2vyAFVYT@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-201831-21738@https.bugs.freebsd.org/bugzilla/> References: <bug-201831-21738@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201831 Jan Beich <jbeich@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |Works As Intended Status|New |Closed URL| |https://blog.mozilla.org/se | |curity/2015/01/28/phase-2-p | |hasing-out-certificates-wit | |h-1024-bit-rsa-keys/ Flags|maintainer-feedback?(gecko@ |maintainer-feedback+ |FreeBSD.org) | --- Comment #1 from Jan Beich <jbeich@FreeBSD.org> --- Mozilla removed Thawte Premium Server CA because it uses 1024 RSA key size. If you really want such roots try using CKBI 1.98 flavor. It works fine with OpenSSL 1.0.1p on 11.0-CURRENT or security/openssl port. openssl(1) there also no longer requires -CAfile to verify certs by default. $ openssl s_client -connect 212.158.160.124:443 CONNECTED(00000003) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify return:1 depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2 verify return:1 depth=0 CN = www.tradesoft.ru verify return:1 --- Certificate chain 0 s:/CN=www.tradesoft.ru i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com --- -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201831-21738-KA2vyAFVYT>