retitle 812488 Alternative chain verification failure after 1024b root CAs removal severity 812488 grave thanks
On Thu, 25 Feb 2016 09:14:19 -0600 Michael Shuler <mich...@pbandjelly.org> wrote: > On 02/22/2016 04:12 AM, Christian Beer wrote: > > It seems that the openssl update is not happening soon. Can you please > > include the 1024bit certificates again to solve this regression? > > Yeah, I have a work in progress branch that re-includes the 1024-bit > CAs. Ran back into #743339 on upgrade, so needs some additional testing.. After a jessie upgrade today, I got the same regression and spent some time debugging it (before finding this report) and got to the same conclusion as other here: side effect of removing 1024b root CAs is that OpenSSL 1.0.1 fails to verify alternative chains (where a server-sent intermediate CA is a locally trusted root one). I'm re-titling an raising the severity here, hoping it will help other people noticing the regression in the meanwhile. Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S. | lucab (AT) debian.org `. `'` | GPG: 0xBB1A3A854F3BBEBF `- http://www.debian.org | Debian GNU/Linux Developer
signature.asc
Description: This is a digitally signed message part.