On 09/04/2011 10:35 AM, Yves-Alexis Perez wrote: > On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote: >> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote: >>> Looking at the patches, this really is: >> [...] >> >> Ok, with the patches we got NSS covered, but we still need to do >> something for other users. >> >> A first look at stuff we ship, this seems to be their current >> status: * NSS: ice* packages should be okay after the latest NSS >> update. > > For other NSS users I guess they're ok? I've just checked in > evolution certificate store and there's no DigiNotar one, though I > don't know if evolution would prevent connection to an > imap/pop/smtp server with a relevant certificate. > > evolution uses gnutls for calendars (since it's http/https) and so > is protected through ca-certificates afaict? > >> >> * OpenSSL Nothing special here >> >> * GnuTLS Nothing special here >> >> * chromium: Even after the NSS update, it seems to be happy to >> use the Explicitly Distrusted certs. > > I've tried the tree websites given on this bug report but I don't > know if they still make sense: > > https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!) > but as the redirect isn't prevented I guess chromium is ok with > the certificate. > > https://sha2.diginotar.nl/ succeeds, chain of certification is: > > CN = sha2.diginotar.nl CN = DigiNotar PKIoverheid CA Organisatie - > G2 CN = Staat der Nederlanden Organisatie CA - G2 CN = Staat der > Nederlanden Root CA - G2 (chromium builtin). > > > Regards,
Chromium needs an update to .220 to properly block all of the DigiNotar certificates. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
