RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1367573 - Remove several legacy CAs, as of upstream update 2.10
Summary: Remove several legacy CAs, as of upstream update 2.10
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ca-certificates
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 6.9
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On: 1386679 1386680 1386683
Blocks: 1339235
TreeView+ depends on / blocked
 
Reported: 2016-08-16 20:14 UTC by Kai Engert (:kaie) (inactive account)
Modified: 2017-08-31 13:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-31 13:25:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1335928 0 unspecified CLOSED Disable CA certificates with 1024-bit or less parameters by default 2021-02-22 00:41:40 UTC

Internal Links: 1335928

Description Kai Engert (:kaie) (inactive account) 2016-08-16 20:14:49 UTC 
I suggest that we remove a subset of the legacy CAs that we keep included in the RHEL 6 ca-certificates package.

For RHEL 6.9, I suggest we rebase to version 2.10, which I expect to be part of Firefox 51.

The subject of this bug isn't about the rebase, but about the legacy removals, which in my opinion are justified based on the decisions made by the upstream Mozilla CA maintainers.

As of today, RHEL 6.x contains ca-certificates version 2.6

As explained here:
  https://fedoraproject.org/wiki/CA-Certificates#Changes_in_Version_2.7
upstream 2.7 has removed the four CAs mentioned there, because:
"The removal was based on information provided by the organizations that had issued the certificates, who stated that all of these certificates have been retired, either completely, or retired for public use."

I belive this is sufficient indication that they aren't required any more on the public internet.

In addition, as stated in this bug:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1288250
"Please remove the following root certificates from NSS, because they are not included in the current audit statements."

If they aren't under audit any more, we should remove them.


To summarize, I suggest to remove the following CAs from the legacy list in RHEL 6.9:

# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
 # Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F

 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Wed Aug 02 23:59:59 2028
 # Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
 # Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B

 # Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 105 (0x69)
 # Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:10:22 1999
 # Not Valid After : Wed Feb 20 14:10:22 2019
 # Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
 # Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF

 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:08:11 1999
 # Not Valid After : Wed Feb 20 14:08:11 2019
 # Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
 # Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B

 # Trust for Certificate "Equifax Secure Global eBusiness CA"
 # Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
 # Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45

 # Trust for Certificate "Equifax Secure eBusiness CA 1"
 # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 4 (0x4)
 # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
 # Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41

 # Trust for Certificate "Equifax Secure CA"
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
 # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

 # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
 # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
 # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
 # Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
Comment 1 Kai Engert (:kaie) (inactive account) 2016-08-16 20:16:07 UTC 
The previous comment lists 9 CAs.

Although the sum of the mentioned links is 10 CAs, apparently one of the CAs isn't part of our legacy handling.
Comment 7 Kai Engert (:kaie) (inactive account) 2016-10-19 12:40:12 UTC 
This is blocked by the bugs on the dependency list.
Comment 8 Kai Engert (:kaie) (inactive account) 2016-10-24 10:54:40 UTC 
These 1024-bit CAs, which have been completely removed by Mozilla in version 2.10, are still referenced by a significant percentage of sites in the public web, which include (optional) intermediate CAs in the chains sent out by the servers, which point to the legacy CAs.

Removing these CAs, or in other words, no longer trusting them, would have the consequence that applications, which are based on OpenSSL, GnuTLS and glib-networking (and possibly others), could no longer verify certificates from the affected servers, and as a result, would refuse to connect to them by default.

In order to avoid this regression, I've been asked to not perform this removal at this time.
Comment 10 Kai Engert (:kaie) (inactive account) 2017-08-31 13:25:35 UTC 
Two dependency bugs have been marked as wontfix.
I'm afraid this means this one cannot be fixed either.
Note You need to log in before you can comment on or make changes to this bug.