Package: openssl Version: 1.0.1j-1 Severity: normal Dear Maintainer,
To avoid security weakness, when 1024-bit RSA root CAs removed, verify error occurs in some sites with cross root CA. I've seen following, https://bugzilla.mozilla.org/show_bug.cgi?id=986005#c4 And fixed patch is following, http://rt.openssl.org/Ticket/Display.html?id=3637&user=guest&pass=guest [PATCH] x509: skip certs if in alternative cert chain I've test this patch. No issues were found. My tests are following. 1) build openssl packages that applied the patch and install these. 2) remove root CAs in /usr/share/ca-certificates/mozilla/ Equifax_Secure_*.crt GTE_CyberTrust_Global_Root.crt Thawte_*.crt Verisign_Class_3_Public_Primary_Certification_Authority.crt Verisign_Class_3_Public_Primary_Certification_Authority_2.crt 3) [strace] openssl s_client -CApath /etc/ssl/certs -showcerts -connect s3.amazonaws.com:443 test other sites, e.g. www.debian.org, www.geotrust.co.jp, dinahosting.com Thank you. -- Hiroyuki YAMAMORI -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssl depends on: ii libc6 2.19-13 ii libssl1.0.0 1.0.1j-1+p1 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20141019 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org