Re: update on ca-certificates, introducing the ca-legacy utility
On Fri, 2014-11-21 at 17:17 +0100, Kai Engert wrote: https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19 https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20 I'd appreciate more testing feedback. I'd like to push these packages into the stable updates channel, soon. Thanks in advance, Kai -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
update on ca-certificates, introducing the ca-legacy utility
On Fri, 2014-10-31 at 14:05 +0100, Kai Engert wrote: All legacy root CA certificates, which seem to be required for full compatibility with either OpenSSL or GnuTLS, will continue to be included and enabled in the ca-certificates package. For users who are willing to accept the breakage and prefer using the latest trust, only, we provide a mechanism to disable the legacy trust. I've described the proposed approach in more detail at https://bugzilla.redhat.com/show_bug.cgi?id=1158197 I've pushed experimental packages with this implementation to Rawhide and updates-testing for Fedora 21. I have disabled the karma automatism, because I'll be offline for the next 2 weeks, and don't want things to go live while I'm away. I think it will be helpful to collect test feedback during that time, and see if it's suitable, and make a ship/no-ship decision of this approach later. In the meantime, while I was on vacation, the above has been (accidentally) pushed as a stable update for Fedora 21 already: ca-certificates-2014.2.1-1.5.fc21.noarch It seems it will be included in the final release of Fedora 21. Given that we keep legacy trust enabled, and given that I haven't seen any problem reports, it's probably OK. Using the new ca-legacy utility, users/administrators who are willing to accept the compatibility issues and who prefer to closely follow the Mozilla CA trust decisions, can disable trust for the legacy root CA certificates as a systemwide configuration, by executing this command as root: ca-legacy disable The configuration will be remembered in /etc/pki/ca-trust/ca-legacy.conf and will be used on future package upgrades, when additional certificates are moved to the legacy state. If required, it's possible to undo the configuration and restore to the current default, using: ca-legacy enable The current configuration can be shown using: ca-legacy check Regarding Fedora 19 and Fedora 20: On F19/F20, GnuTLS is also affected by the breakage, when disabling trust for the legacy CAs, because GnuTLS has been enhanced in Fedora 21 and later, only. Updated packages for F19 and F20, that provide the update to version 2.1 of the ca-certificates list, and which also include the new ca-legacy utility and configuration mechanism, have been pushed to updates-testing: https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19 https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20 Kai -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: update on ca-certificates, introducing the ca-legacy utility
FYI, I'm documenting the changes that we make on top of the Mozilla CA list at: https://fedoraproject.org/wiki/CA-Certificates Kai -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: update on ca-certificates, introducing the ca-legacy utility
On Fri, 2014-11-21 at 14:03 +0100, Kai Engert wrote: On Fri, 2014-10-31 at 14:05 +0100, Kai Engert wrote: All legacy root CA certificates, which seem to be required for full compatibility with either OpenSSL or GnuTLS, will continue to be included and enabled in the ca-certificates package. For users who are willing to accept the breakage and prefer using the latest trust, only, we provide a mechanism to disable the legacy trust. I've described the proposed approach in more detail at https://bugzilla.redhat.com/show_bug.cgi?id=1158197 I've pushed experimental packages with this implementation to Rawhide and updates-testing for Fedora 21. I have disabled the karma automatism, because I'll be offline for the next 2 weeks, and don't want things to go live while I'm away. I think it will be helpful to collect test feedback during that time, and see if it's suitable, and make a ship/no-ship decision of this approach later. In the meantime, while I was on vacation, the above has been (accidentally) pushed as a stable update for Fedora 21 already: ca-certificates-2014.2.1-1.5.fc21.noarch It seems it will be included in the final release of Fedora 21. Given that we keep legacy trust enabled, and given that I haven't seen any problem reports, it's probably OK. Using the new ca-legacy utility, users/administrators who are willing to accept the compatibility issues and who prefer to closely follow the Mozilla CA trust decisions, can disable trust for the legacy root CA certificates as a systemwide configuration, by executing this command as root: ca-legacy disable The configuration will be remembered in /etc/pki/ca-trust/ca-legacy.conf and will be used on future package upgrades, when additional certificates are moved to the legacy state. If required, it's possible to undo the configuration and restore to the current default, using: ca-legacy enable The current configuration can be shown using: ca-legacy check Regarding Fedora 19 and Fedora 20: On F19/F20, GnuTLS is also affected by the breakage, when disabling trust for the legacy CAs, because GnuTLS has been enhanced in Fedora 21 and later, only. Updated packages for F19 and F20, that provide the update to version 2.1 of the ca-certificates list, and which also include the new ca-legacy utility and configuration mechanism, have been pushed to updates-testing: https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19 https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20 Kai Kai, this is very important information buried at the bottom of a long email thread; would you mind re-sending this summary in a new thread (also to devel-announce) so that people are sure to see it? signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
update on ca-certificates, introducing the ca-legacy utility
Resending this as a new thread, for increased visibility. As explained in the older thread, the Mozilla project has started to remove CA certificates that contain weak keys. Those removals cause issues with software based on OpenSSL, and software based on older versions of GnuTLS. (A short description of the issue can be found in tracker bug https://bugzilla.redhat.com/show_bug.cgi?id=1166614 - I intend to file a ticket against OpenSSL shortly.) For Fedora, we have decided to keep the legacy CA certificates included and trusted by default, in order to avoid compatibility issues, until we get functional updates to OpenSSL. I'm documenting the changes on top of the Mozilla CA list at: https://fedoraproject.org/wiki/CA-Certificates However, we want to provide users/administrators with the ability to change the default, by configuring the ca-certificates to strictly follow the trust decisions made by Mozilla, thereby accepting the compatibility issues (e.g. untrusted TLS connections, if certificates of affected server configurations cannot be validated). The above has been implemented for Fedora 21, it looks like it will be included as part of the Fedora 21 release: ca-certificates-2014.2.1-1.5.fc21.noarch Using the new ca-legacy utility, it is possible to disable trust for the legacy CA certificates as a systemwide configuration, by executing this command as root: ca-legacy disable The configuration will be remembered in /etc/pki/ca-trust/ca-legacy.conf and will be used on future package upgrades, when additional certificates are moved to the legacy state. If required, it's possible to undo the configuration and revert to the current default, using: ca-legacy enable The current configuration can be shown using: ca-legacy check Regarding Fedora 19 and Fedora 20: On F19/F20, GnuTLS is also affected by the breakage, when disabling trust for the legacy CAs, because GnuTLS has been enhanced in Fedora 21 and later, only. Updated packages for F19 and F20, that provide the update to version 2.1 of the ca-certificates list, and which also include the new ca-legacy utility and configuration mechanism, have been pushed to updates-testing: https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19 https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20 Kai -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: update on ca-certificates, introducing the ca-legacy utility
On Fri, 2014-11-21 at 10:45 -0500, Stephen Gallagher wrote: Kai, this is very important information buried at the bottom of a long email thread; would you mind re-sending this summary in a new thread (also to devel-announce) so that people are sure to see it? done -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
