Bug 1335928
| Summary: | Disable CA certificates with 1024-bit or less parameters by default | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> |
| Component: | ca-certificates | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> |
| Status: | CLOSED CANTFIX | QA Contact: | Stanislav Zidek <szidek> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.9 | CC: | pvrabec, szidek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-31 13:25:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1386679, 1386680, 1386683 | ||
| Bug Blocks: | |||
|
Description
Nikos Mavrogiannopoulos
2016-05-13 14:36:59 UTC
This is blocked by the bugs on the dependency list. These 1024-bit CAs are still referenced by a significant percentage of sites in the public web, which include (optional) intermediate CAs in the chains sent out by the servers, which point to the legacy CAs. Removing these CAs, or in other words, no longer trusting them, would have the consequence that applications, which are based on OpenSSL, GnuTLS and glib-networking (and possibly others), could no longer verify certificates from the affected servers, and as a result, would refuse to connect to them by default. In order to avoid this regression, I've been asked to not perform this removal at this time. Two dependency bugs have been marked as wontfix. I'm afraid this means this one cannot be fixed either. |