User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release) Build ID: 20140804150629 Steps to reproduce: A number of our ldaps dependent services stopped working after upgrading NSS from 3.16.1 to 3.16.3. We were able to track this down to this change: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes Notable Changes in NSS 3.16.3 - The following 1024-bit CA certificates were Removed OU = ValiCert Class 2 Policy Validation Authority SHA1 Fingerprint: 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6 This ca was used to sign the ValiCert ssl cert used with identity.lbl.gov, which is a 10 year cert that is now only 5 years old. Actual results: Example error message: LDAP service down: ldaps://identity.lbl.gov/ Expected results: We'd like to understand why this specific ca was removed from the nss bundle and if it's possible to put it back in.
Hi Craig, NSS is in the process of removing legacy root certificates, including those with keys that are likely to be deprecated in the future (1024-bit RSA keys) The bug tracking this particular effort was https://bugzilla.mozilla.org/show_bug.cgi?id=936304 , with the overall bug being https://bugzilla.mozilla.org/show_bug.cgi?id=881553 You can see the owner of this certificate requested it's removal in July, 2013 - https://bugzilla.mozilla.org/show_bug.cgi?id=881553#c11 The CAs owning these certificates have been attempting to reach out to their customers and ensure they are aware of the changes and have alternatives. I suspect that if you contact them, they will be able to provide you with a proper chain, one that is supported by the CA and follows modern cryptographic best practices. It's not something that the NSS dev team are considering adding back in, especially since the CA indicated they were prepared for this certificate to be removed in Q1 2014, and now it's nearly Q4.
Kathleen, should this be marked WONTFIX?
Hi Craig, I apologize for this inconvenience. The ValiCert Class 2 root cert can be downloaded from here: https://certificates.godaddy.com/repository There is also a link on that page called: "How to report a certificate problem" Perhaps you can reach out to GoDaddy to find out the best solution for your situation. I am closing this bug as "WONTFIX", because we do not plan to add this legacy 1024-bit root back to NSS. Regards, Kathleen
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.