Recommended update for ca-certificates-mozilla
SUSE Recommended Update: Recommended update for ca-certificates-mozilla
The system root SSL certificates were updated to match Mozilla NSS 2.2.
Some removed/disabled 1024 bit certificates were temporarily
reenabled/readded, as openssl and gnutls have a different handling of
intermediates than mozilla nss and would otherwise not recognize SSL
certificates from commonly used sites like Amazon.
Updated to 2.2 (bnc#888534)
- The following CAs were added:
+ COMODO_RSA_Certification_Authority codeSigning emailProtection
serverAuth
+ GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth
+ GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth
+ USERTrust_ECC_Certification_Authority codeSigning emailProtection
serverAuth
+ USERTrust_RSA_Certification_Authority codeSigning emailProtection
serverAuth
+ VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
- The following CAs were changed:
+ Equifax_Secure_eBusiness_CA_1 remote code signing and https trust,
leave email trust
+ Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
only trust emailProtection
- Updated to 2.1 (bnc#888534)
- The following 1024-bit CA certificates were removed
- Entrust.net Secure Server Certification Authority
- ValiCert Class 1 Policy Validation Authority
- ValiCert Class 2 Policy Validation Authority
- ValiCert Class 3 Policy Validation Authority
- TDC Internet Root CA
- The following CA certificates were added:
- Certification Authority of WoSign
- CA æ²éæ ¹è¯ä¹¦
- DigiCert Assured ID Root G2
- DigiCert Assured ID Root G3
- DigiCert Global Root G2
- DigiCert Global Root G3
- DigiCert Trusted Root G4
- QuoVadis Root CA 1 G3
- QuoVadis Root CA 2 G3
- QuoVadis Root CA 3 G3
- The Trust Bits were changed for the following CA certificates
- Class 3 Public Primary Certification Authority
- Class 3 Public Primary Certification Authority
- Class 2 Public Primary Certification Authority - G2
- VeriSign Class 2 Public Primary Certification Authority - G3
- AC RaÃz Certicámara S.A.
- NetLock Uzleti (Class B) Tanusitvanykiado
- NetLock Expressz (Class C) Tanusitvanykiado
Temporary reenable some root ca trusts, as openssl/gnutls have trouble
using intermediates as root CA.
- GTE CyberTrust Global Root
- Thawte Server CA
- Thawte Premium Server CA
- ValiCert Class 1 VA
- ValiCert Class 2 VA
- RSA Root Certificate 1
- Entrust.net Secure Server CA
- America Online Root Certification Authority 1
- America Online Root Certification Authority 2
| Announcement ID: | SUSE-RU-2015:0197-1 |
| Rating: | moderate |
| References: | #888534 |
| Affected Products: |
An update that has one recommended fix can now be installed.
Description:
The system root SSL certificates were updated to match Mozilla NSS 2.2.
Some removed/disabled 1024 bit certificates were temporarily
reenabled/readded, as openssl and gnutls have a different handling of
intermediates than mozilla nss and would otherwise not recognize SSL
certificates from commonly used sites like Amazon.
Updated to 2.2 (bnc#888534)
- The following CAs were added:
+ COMODO_RSA_Certification_Authority codeSigning emailProtection
serverAuth
+ GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth
+ GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth
+ USERTrust_ECC_Certification_Authority codeSigning emailProtection
serverAuth
+ USERTrust_RSA_Certification_Authority codeSigning emailProtection
serverAuth
+ VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
- The following CAs were changed:
+ Equifax_Secure_eBusiness_CA_1 remote code signing and https trust,
leave email trust
+ Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
only trust emailProtection
- Updated to 2.1 (bnc#888534)
- The following 1024-bit CA certificates were removed
- Entrust.net Secure Server Certification Authority
- ValiCert Class 1 Policy Validation Authority
- ValiCert Class 2 Policy Validation Authority
- ValiCert Class 3 Policy Validation Authority
- TDC Internet Root CA
- The following CA certificates were added:
- Certification Authority of WoSign
- CA æ²éæ ¹è¯ä¹¦
- DigiCert Assured ID Root G2
- DigiCert Assured ID Root G3
- DigiCert Global Root G2
- DigiCert Global Root G3
- DigiCert Trusted Root G4
- QuoVadis Root CA 1 G3
- QuoVadis Root CA 2 G3
- QuoVadis Root CA 3 G3
- The Trust Bits were changed for the following CA certificates
- Class 3 Public Primary Certification Authority
- Class 3 Public Primary Certification Authority
- Class 2 Public Primary Certification Authority - G2
- VeriSign Class 2 Public Primary Certification Authority - G3
- AC RaÃz Certicámara S.A.
- NetLock Uzleti (Class B) Tanusitvanykiado
- NetLock Expressz (Class C) Tanusitvanykiado
Temporary reenable some root ca trusts, as openssl/gnutls have trouble
using intermediates as root CA.
- GTE CyberTrust Global Root
- Thawte Server CA
- Thawte Premium Server CA
- ValiCert Class 1 VA
- ValiCert Class 2 VA
- RSA Root Certificate 1
- Entrust.net Secure Server CA
- America Online Root Certification Authority 1
- America Online Root Certification Authority 2
Patch Instructions:
To install this SUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-50 - SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-50
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 12 (noarch):
- ca-certificates-mozilla-2.2-7.1
- SUSE Linux Enterprise Desktop 12 (noarch):
- ca-certificates-mozilla-2.2-7.1
References:
- https://bugzilla.suse.com/show_bug.cgi?id=888534