Comment 3 for bug 1031333

Marc Deslauriers (mdeslaur) wrote :

These are _root_ certs, the crypto library doesn't verify the signatures on root certs, since they are self-signed.

If we really don't want to ship md2 root certs, we need to make sure ca-certificates deliberately disables them, instead of overwriting them by coincidence just because they are listed first in Mozilla's cert file.

In theory, the sha1 cert should be sufficient, and earlier versions of libsoup accepted that one without an issue. I'm currently investigating whether this is a regression in libsoup or not.