171149 – Missing CA certificates in ca-bundle.crt

Bug 171149 - Missing CA certificates in ca-bundle.crt

Summary: Missing CA certificates in ca-bundle.crt

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	openssl
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-10-18 18:57 UTC by seph
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-01-05 16:09:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description seph 2005-10-18 18:57:38 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5

Description of problem:
Because wget now enforces ssl cert validity, I discovered that the ca-bundle.crt is missing several common certs. This is quite inconvient, and I think ca-bundle.crt should include them.

It seems to be missing most of the Equifax certs, which are now sold by geotrust. The one my certs are signed with is:

# cat Equifax_Secure_Global_eBusiness_CA.pem 
-----BEGIN CERTIFICATE-----
MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJV
UzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1
aWZheCBTZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0
MDAwMFoXDTIwMDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoT
E0VxdWlmYXggU2VjdXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJl
IEdsb2JhbCBlQnVzaW5lc3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAuucXkAJlsTRVPEnCUdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQy
td4zjTov2/KaelpzmKNc6fuKcxtc58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORR
OhI8bIpaVIRw28HFkM9yRcuoWcDNM50/o5brhTMhHD4ePmBudpxnhcXIw2EC
AwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQFMAMBAf8w
HwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0OBBYEFL6o
oHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUAA4GBADDiAVGqx+pf
2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkAZ70Br83gcfxa
z2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv8qIYNMR1
pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV


Version-Release number of selected component (if applicable):
openssl-0.9.7a-43.2

How reproducible:
Always

Steps to Reproduce:
1. use any ssl based tool


Additional info:

Comment 1 Tomas Mraz 2005-10-21 11:56:30 UTC

Are these certificates contained in recent Mozilla/Firefox releases? We are
keeping certificates in ca-bundle.crt in sync with Mozilla.

Comment 2 seph 2005-10-21 14:07:52 UTC

They've been in firefox as long as I've been using it.

Comment 3 Tomas Mraz 2006-01-05 16:09:12 UTC

This problem will be resolved in the next release of Red Hat Enterprise Linux.
Red Hat does not currently plan to provide a resolution for this in a Red Hat
Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.

Note You need to log in before you can comment on or make changes to this bug.