RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Firefox 38 ESR, current upstream release date is May 12 2015, requires nss-3.18.

*** Bug 1200939 has been marked as a duplicate of this bug. ***

Created attachment 1006380 [details]
Patch to keep 1024 bit legacy CA certificates enabled in the NSS root CA module

I suggest to include this patch in the NSS 3.18 package.

It keeps the trust flags of legacy root CA certificates enabled, as they were before Mozilla decided to phase them out in Firefox.

This patch has the certificates that were changed in the upstream releases version 2.1, 2.2 and 2.3

See also this page which documents the changes:
https://fedoraproject.org/wiki/CA-Certificates


This patch will affect users who are still using the default configuration of RHEL 6, which DOESN'T yet use the shared system certificate store.


If users of RHEL 6.5 and later would like to disable the legacy CAs, they can:

- migrate their system to the new shared CA store by executing:
  update-ca-trust enable

- disable the legacy root CAs:
  ca-legacy disable

(The ca-legacy command will be introduced in version 2.3 of the ca-certificates pacakge.)

Created attachment 1009282 [details]
All changes for rebasing plus two bug fixes

This is actually for rhel-6.6.z, attaching it here because the clone of this bug hasn't be filed yet. Includes fixes for Bug 1123092 and Bug 1131311.

My mistake, the clone is filed. I'll attach it there.