Comment 9 for bug 1031333

Marc Deslauriers (mdeslaur) wrote :

mozilla and Chromium still have the md2 cert, because VeriSign had issued intermediates with AKIs that point to the
MD2 versions. I'm not sure there are any left though.

If you remove the md2 cert from firefox, and restart it, it will still validate the site correctly.

You need to tell openssl where the CA cert bundle is:

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect

Doing that results in a successful verification, even though the md2 cert isn't in the system CA bundle:
Verify return code: 0 (ok)