cURL / Mailing Lists / curl-users / Single Mail


Re: ca-cert bundle missing Verisign cert, breaking SSL to Amazon

From: Lamont Granquist <>
Date: Mon, 27 Oct 2014 15:16:02 -0700

On 10/27/14, 2:56 PM, Daniel Stenberg wrote:
> On Mon, 27 Oct 2014, Lamont Granquist wrote:
>> The latest drops these cert:
> ...
>> If those are being dropped after being scraped, then someone should
>> probably be made aware that its a cert at the base of Amazon's SSL
>> certs and removing that cert from the ca-bundle breaks
>> and
> I'm pretty sure they are dropped on purpose because of the recently
> introduced RSA-1024 bit requirement as mentioned here:
>, at least they vanished with
> that specific mozilla bump.
> That's also a reason why we point to the last cacert.pem from before
> that change on that same web page.
> Of course, it could also be a bug in the mk-ca-bundle script.
> See
> At the bottom it lists these certs as "weak" and I suspect it is that
> attribute that makes our script exclude them.
Yeah, firefox/mozilla's messaging is that they're weak and "planned to
be removed at a later" time. But still works as far as
an end user is concerned in 32.0.x and 33.0.x even though those are
marked as weak. They're still in the mozilla bundle and firefox will
still use them. By excluding them from the curl bundle, though, amazon
and aws just broke hard for consumers of that. I'd say that you've
gotten too far ahead in anticipating dropping the 1024-bit RSA certs
since breaking AWS is a total show stopper for a lot of people -- which
is most likely why mozilla marked them as weak and didn't drop them
completely like the other 1024-bit keys that were totally removed.

List admin:
Received on 2014-10-27