ca_root_nss and MD5 root certs
Michael Gmelin
freebsd at grem.de
Sun Mar 29 13:54:26 UTC 2015
I noticed that recent versions of ca_root_nss removed root certificates
that use an MD5 signature hash.
Even though I think is is the Right Thing(tm) to do, it leads to
problems when talking to systems that use certificates signed by one of
those root CAs. Unfortunately there seem to be a lot of systems out
there that rely on such a certificate, especially this one:
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c)
2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server at thawte.com
These sites still work in Chrome, I'm not certain what they're doing to
verify.
It's a bit problematic, as updating ca_root_nss effectively cuts one
off other systems and APIs.
Is there any recommended workaround (other than manually adding the
root and locking the package)?
Thanks,
Michael
--
Michael Gmelin
More information about the freebsd-ports
mailing list