There are already bugs filed with ca-certificates. I'm going to cross reference them here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812708#15 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812488 There are also other websites and tools affected. I personally think that adding the certificates back to ca-certificates in Jessie is the way to go. Since it works in openssl 1.0.2 you can either upgrade the package in Jessie to 1.0.2 (which is unlikely I think) or backport the fix for 1.0.2 to 1.0.1 upstream (which is even more unlikely). I will also reference the workaround we advise to "downgrade" the ca-certificates package: https://einstein.phys.uwm.edu/forum_thread.php?id=11760&postid=151305 Regards Christian
