On Mon, Mar 20, 2017 at 1:13 PM, Michael Shuler <mich...@pbandjelly.org> wrote:
> Control: tags -1 + moreinfo > > On 03/17/2017 04:38 PM, Alex Gaynor wrote: > > Package: ca-certificates > > Severity: normal > > What version of ca-certificates? > 20161130 (latest from Debian Testing) > > The ca-certificates package includes legacy root certificates which have > > 1024-bit RSA keys. These are considered weak by modern standards, and > > have been removed from the upstream Mozilla trust store. > > Please, be specific: what 1024-bit roots? > Going through certificates found in /etc/ssl/certs/ca-certificates.crt, here are the subjects and serial numbers for certs with 1024-bit RSA public keys. [([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Equifax')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'Equifax Secure Certificate Authority')>], 903804111), ([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Equifax Secure Inc.')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Equifax Secure Global eBusiness CA-1')>], 1), ([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'Equifax Secure Inc.')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Equifax Secure eBusiness CA-1')>], 4), ([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'VeriSign, Inc.')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'Class 1 Public Primary Certification Authority')>], 84287173645887463140025226144593929437L), ([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'VeriSign, Inc.')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'Class 2 Public Primary Certification Authority - G2')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'(c) 1998 VeriSign, Inc. - For authorized use only')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'VeriSign Trust Network')>], 246153180488710619953605749449532672687L), ([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value=u'US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value=u'VeriSign, Inc.')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'Class 3 Public Primary Certification Authority')>], 149843929435818692848040365716851702463L)] (I apologize for the somewhat verbose format these are in) > > > For a while these were needed to workaround a bug in OpenSSL X.509 path > > building logic, but that bug has since been resolved so these are now > > vestigial and a risk. > > ca-certificates version 20140927 removed the 1024-bit certificates when > updating the mozilla CA bundle to 2.1. > > Please, provide some details about your installation, otherwise, this > was fixed long ago. > > -- > Kind regards, > Michael > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6
