Control: block 812708 by -1 Control: severity -1 important Hi,
I wanted to ask if there's any progress on this? Since 1024bit root CAs were removed from ca-certificates in January this year, this has become a real issue, since openssl-based software won't accept some valid certificate chains anymore. This is especially bad, since those sites continue to keep the 1024bit root CA as the final entry of the chain for compatibility with older software, and no other SSL implementation has a problem with that (especially browsers). For example, this breaks curl with those sites, which is used in a large variety of contexts, especially scripting languages. This might lead some people to disable certificate checking altogether because they don't know how to fix this, which is _much_ worse than keeping 1024 bit CAs in the root store. Regards, Christian
signature.asc
Description: OpenPGP digital signature
