[haiku-commits] Re: haiku: hrev48983 - build/jam/repositories/HaikuPorts
- From: Adrien Destugues <pulkomandy@xxxxxxxxx>
- To: haiku-commits@xxxxxxxxxxxxx
- Date: Sat, 4 Apr 2015 16:01:33 +0200
On Sat, Apr 04, 2015 at 09:42:50AM -0400, Alexander G. M. Smith wrote:
10785b19863f: Update the ca_root_certificates package.
[ Jérôme Duval <jerome.duval@xxxxxxxxx> ]
- ca_root_certificates-2015_02_25-1
+ ca_root_certificates-2014_08_13-1
Are you sure this is an update? Seems to be going backwards in time.
Though looking back in time, I see that you are basically undoing your
previous commit e5d75a0920c3 (hrev48961). What went wrong with the
certificates?
Later versions of ca_root_certificate deprecate some certificates
considered "weak" (1024 bit keys). However, some websites still use
these certificates in their thrust chain (including Amazon S3, for
example). While Mozilla's NSS library will in this case try to find a
different chain of thrust and find a valid one, OpenSSL doesn't do that,
yet, and if the certificate chain given by the server contains one of
these certificates, the SSL connection will be rejected.
There is unfortunately no easy solution, except waiting for the affected
websites to adjust their certificate chains, or waiting for OpenSSL
1.1.0 (not yet released), which will supposedly improve the chain
validation system (this was mentionned in some discussions about this
issue, but I see nothing in OpenSSL 1.1.0 changelog that seems to
match).
--
Adrien.
Other related posts:
