cURL / Mailing Lists / curl-library / Single Mail


Re: RSA1024 cacert cleanups

From: Daniel Stenberg <>
Date: Fri, 5 Sep 2014 08:55:11 +0200 (CEST)

On Fri, 5 Sep 2014, Daniel Stenberg wrote:

> Just for information to all: Mozilla has recently removed weak certs from
> the CA certs bundle. Weak, in the meaning that they used 1024 bit RSA.

Okay, I've now been educated a bit more on this. (One of these days I'll know
a whole lot about TLS!)

With the use of "path discovery" as per RFC 4158, this removal is not supposed
to cause any problems. If I understand things correctly (that's a pretty big

The only thing here is that OpenSSL and GnuTLS don't do this - at least not on
this ca cert bundle download. And older NSS doesn't either. I bet a lot of the
other TLS libs are in a similar situation.

So, partial breakage and tears to be expected with using this ca cert

SHA-1 certs are planned to get ditched by 2017[*] and will drive the stick
further in.

[*] =!topic/blink-dev/2-R4XziFc7A/discussion[1-25-false]

List admin:
Received on 2014-09-05