[Bug 201831] There is no "Thawte Premium Server CA" in the security/ca_root_nss

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Jul 24 15:46:00 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201831

Jan Beich <jbeich at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |Works As Intended
             Status|New                         |Closed
                URL|                            |https://blog.mozilla.org/se
                   |                            |curity/2015/01/28/phase-2-p
                   |                            |hasing-out-certificates-wit
                   |                            |h-1024-bit-rsa-keys/
              Flags|maintainer-feedback?(gecko@ |maintainer-feedback+
                   |FreeBSD.org)                |

--- Comment #1 from Jan Beich <jbeich at FreeBSD.org> ---
Mozilla removed Thawte Premium Server CA because it uses 1024 RSA key size. If
you really want such roots try using CKBI 1.98 flavor.

It works fine with OpenSSL 1.0.1p on 11.0-CURRENT or security/openssl port.
openssl(1) there also no longer requires -CAfile to verify certs by default.

$ openssl s_client -connect 212.158.160.124:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU =
"(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV
SSL CA - G2
verify return:1
depth=0 CN = www.tradesoft.ru
verify return:1
---
Certificate chain
 0 s:/CN=www.tradesoft.ru
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server at thawte.com
 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server at thawte.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server at thawte.com
---

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-gecko mailing list