Closed
Bug 554334
Opened 14 years ago
Closed 14 years ago
Disable Legacy Roots in NSS
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.7
People
(Reporter: kathleen.a.wilson, Assigned: KaiE)
References
Details
Attachments
(1 file)
47.44 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
This bug requests that the following root certificates be disabled (all three trust bits turned off) in the NSS root certificate store. This request has been assessed in accordance with the Mozilla project guidelines, and the disablement of the certificates has been approved in bug #534274. Please disable the following root certificates in NSS by turning off all three trust bits: CN = GTE CyberTrust Root SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6:89:64 CN = beTRUSTed Root CA SHA1 Fingerprint: 5B:CD:CD:CC:66:F6:DC:E4:44:1F:E3:7D:5C:C3:13:4C:46:F4:70:38 CN = beTRUSTed Root CA-Baltimore Implementation SHA1 Fingerprint: DC:BB:9E:B7:19:4B:C4:72:05:C1:11:75:29:86:83:5B:53:CA:E4:F8 CN = beTRUSTed Root CA - Entrust Implementation SHA1 Fingerprint: 72:99:79:13:EC:9B:0D:AE:65:D1:B6:D7:B2:4A:76:A3:AE:C2:EE:16 CN = beTRUSTed Root CA - RSA Implementation SHA1 Fingerprint: 1D:82:59:CA:21:27:C3:CB:C1:6C:D9:32:F6:2C:65:29:8C:A8:87:12 CN = Entrust.net Client Certification Authority SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80 CN = Entrust.net Client Certification Authority SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73 CN = Entrust.net Secure Server Certification Authority SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93 CN = UTN-USERFirst-Network Applications SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
Assignee | ||
Comment 1•14 years ago
|
||
Assignee | ||
Comment 2•14 years ago
|
||
The names shown in this bug (CN) are different from the names shown in the NSS source code (nicknames). Therefore I used the following procedure to identify the certificates to remove: - open cert manager - search for the cert with the name shown in this bug - view the cert - compare the fingerprint to ensure I've found the right cert - click details - in the large text area, the initial line lists "builtin object token:" followed by the nickname - I search NSS sourcecode for this nickname and made the requested change I hope I changed/removed the correct certs. I'll produce a test build where you could verify.
Assignee | ||
Comment 3•14 years ago
|
||
A test build for verification on your prefered platform can be found here: https://build.mozilla.org/tryserver-builds/kaie@kuix.de-kaie-roots1003/ I'd appreciate if you could have a look to see whether I've removed/disabled the correct roots.
Reporter | ||
Comment 4•14 years ago
|
||
I have installed the test build and verified that the trust bits have been turned off for the root certs listed above. Kai, I apologize for not thinking of this earlier -- I just noticed it while doing the testing, so I have to ask... Would it be reasonable to do the changes for bug 530853 as part of this patch?
Assignee | ||
Updated•14 years ago
|
Attachment #434574 -
Flags: review?(rrelyea)
Comment 5•14 years ago
|
||
Comment on attachment 434574 [details] [diff] [review] Patch v1 I confirm that this patch removes all 3 trust bits from 9 certs. I didn't check that they're the right ones, but Kathleen has already confirmed that.
Attachment #434574 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 6•14 years ago
|
||
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.61; previous revision: 1.60
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•14 years ago
|
||
previously mentioned commit was empty... correct one is: Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.63; previous revision: 1.62 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.60; previous revision: 1.59 done
Updated•14 years ago
|
Target Milestone: --- → 3.12.7
You need to log in
before you can comment on or make changes to this bug.
Description
•