Comment 4 for bug 1031333

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

OK, I am now convinced that we don't need the md2 certs, applications
should be able to validate using the sha1 certs. I believe a bug in
libsoup/glib-networking is causing the sha1 certs to not be used.

We still should improve ca-certificates to make _sure_ that we're
shipping the sha1 certs instead of the md2 certs, as it currently ships
the sha1 certs by coincidence as they are listed later in Mozilla's
file. If they ever change the order of their file, we'll be shipping the
md2 ones by mistake.