Closed Bug 554334 Opened 10 years ago Closed 10 years ago

Disable Legacy Roots in NSS


(NSS :: CA Certificates Code, task)

Not set


(Not tracked)



(Reporter: kwilson, Assigned: KaiE)




(1 file)

This bug requests that the following root certificates be disabled (all three trust bits turned off) in the NSS root certificate store.

This request has been assessed in accordance with the Mozilla project
guidelines, and the disablement of the certificates has been approved in bug

Please disable the following root certificates in NSS by turning off all three trust bits:

CN = GTE CyberTrust Root
SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6:89:64

CN = beTRUSTed Root CA
SHA1 Fingerprint: 5B:CD:CD:CC:66:F6:DC:E4:44:1F:E3:7D:5C:C3:13:4C:46:F4:70:38

CN = beTRUSTed Root CA-Baltimore Implementation
SHA1 Fingerprint: DC:BB:9E:B7:19:4B:C4:72:05:C1:11:75:29:86:83:5B:53:CA:E4:F8

CN = beTRUSTed Root CA - Entrust Implementation
SHA1 Fingerprint: 72:99:79:13:EC:9B:0D:AE:65:D1:B6:D7:B2:4A:76:A3:AE:C2:EE:16

CN = beTRUSTed Root CA - RSA Implementation
SHA1 Fingerprint: 1D:82:59:CA:21:27:C3:CB:C1:6C:D9:32:F6:2C:65:29:8C:A8:87:12

CN = Client Certification Authority
SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80

CN = Client Certification Authority
SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73

CN = Secure Server Certification Authority
SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93

CN = UTN-USERFirst-Network Applications
SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
Depends on: 554665
No longer depends on: 554665
Attached patch Patch v1Splinter Review
The names shown in this bug (CN) are different from the names shown in the NSS source code (nicknames).

Therefore I used the following procedure to identify the certificates to remove:
- open cert manager
- search for the cert with the name shown in this bug
- view the cert
- compare the fingerprint to ensure I've found the right cert
- click details
- in the large text area, the initial line lists "builtin object token:"
  followed by the nickname
- I search NSS sourcecode for this nickname and made the requested change

I hope I changed/removed the correct certs.
I'll produce a test build where you could verify.
A test build for verification on your prefered platform can be found here:

I'd appreciate if you could have a look to see whether I've removed/disabled the correct roots.
I have installed the test build and verified that the trust bits have been turned off for the root certs listed above.

Kai, I apologize for not thinking of this earlier -- I just noticed it while doing the testing, so I have to ask...

Would it be reasonable to do the changes for bug 530853 as part of this patch?
Attachment #434574 - Flags: review?(rrelyea)
Comment on attachment 434574 [details] [diff] [review]
Patch v1

I confirm that this patch removes all 3 trust bits from 9 certs.  I didn't check that they're the right ones, but Kathleen has already confirmed that.
Attachment #434574 - Flags: review?(rrelyea) → review+
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.61; previous revision: 1.60
Closed: 10 years ago
Resolution: --- → FIXED
previously mentioned commit was empty...
correct one is:

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.63; previous revision: 1.62
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.60; previous revision: 1.59
Target Milestone: --- → 3.12.7
You need to log in before you can comment on or make changes to this bug.