Closed Bug 554334 Opened 10 years ago Closed 10 years ago
Disable Legacy Roots in NSS
This bug requests that the following root certificates be disabled (all three trust bits turned off) in the NSS root certificate store. This request has been assessed in accordance with the Mozilla project guidelines, and the disablement of the certificates has been approved in bug #534274. Please disable the following root certificates in NSS by turning off all three trust bits: CN = GTE CyberTrust Root SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6:89:64 CN = beTRUSTed Root CA SHA1 Fingerprint: 5B:CD:CD:CC:66:F6:DC:E4:44:1F:E3:7D:5C:C3:13:4C:46:F4:70:38 CN = beTRUSTed Root CA-Baltimore Implementation SHA1 Fingerprint: DC:BB:9E:B7:19:4B:C4:72:05:C1:11:75:29:86:83:5B:53:CA:E4:F8 CN = beTRUSTed Root CA - Entrust Implementation SHA1 Fingerprint: 72:99:79:13:EC:9B:0D:AE:65:D1:B6:D7:B2:4A:76:A3:AE:C2:EE:16 CN = beTRUSTed Root CA - RSA Implementation SHA1 Fingerprint: 1D:82:59:CA:21:27:C3:CB:C1:6C:D9:32:F6:2C:65:29:8C:A8:87:12 CN = Entrust.net Client Certification Authority SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80 CN = Entrust.net Client Certification Authority SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73 CN = Entrust.net Secure Server Certification Authority SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93 CN = UTN-USERFirst-Network Applications SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
The names shown in this bug (CN) are different from the names shown in the NSS source code (nicknames). Therefore I used the following procedure to identify the certificates to remove: - open cert manager - search for the cert with the name shown in this bug - view the cert - compare the fingerprint to ensure I've found the right cert - click details - in the large text area, the initial line lists "builtin object token:" followed by the nickname - I search NSS sourcecode for this nickname and made the requested change I hope I changed/removed the correct certs. I'll produce a test build where you could verify.
A test build for verification on your prefered platform can be found here: https://email@example.com/ I'd appreciate if you could have a look to see whether I've removed/disabled the correct roots.
I have installed the test build and verified that the trust bits have been turned off for the root certs listed above. Kai, I apologize for not thinking of this earlier -- I just noticed it while doing the testing, so I have to ask... Would it be reasonable to do the changes for bug 530853 as part of this patch?
Comment on attachment 434574 [details] [diff] [review] Patch v1 I confirm that this patch removes all 3 trust bits from 9 certs. I didn't check that they're the right ones, but Kathleen has already confirmed that.
Attachment #434574 - Flags: review?(rrelyea) → review+
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.61; previous revision: 1.60
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
previously mentioned commit was empty... correct one is: Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.63; previous revision: 1.62 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.60; previous revision: 1.59 done
You need to log in before you can comment on or make changes to this bug.