On Fri, 2014-10-31 at 16:28 +0100, Kai Engert wrote: > I confirm that using GnuTLS 3.3.9-2.fc21 on Fedora 21 testing, > with ca-certificates-2014.2.1-1.3.fc21, > and ca-legacy set to disabled, > the command > gnutls-cli -p443 www.amazon.com > reports a trusted certificate.
This isn't a recent change, see [1]. I presume Amazon is most likely still broken in Epiphany (when these roots are removed) as there's been no action on [1], where we decided that gnutls-cli accepted www.amazon.com because it uses certs if they're valid for either email or TLS, whereas GLib only uses certs if they're valid for TLS. Note that due to CDN magic, sites like Amazon load lots of subresources like images and CSS over connections using unrelated certs, so a more reliable test is to actually open the web page in a browser. P.S. To both Kai and Nikos: thanks for all your effort on this matter. A couple months ago I was quite worried, but now I expect things will turn out fine. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1134602
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
