Recommended update for openssl-certs

Announcement ID: SUSE-RU-2018:0378-1
Rating: moderate
References:
Affected Products:
  • SLES for SAP Applications 11-SP4
  • SUSE Linux Enterprise Point of Service 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3
  • SUSE Linux Enterprise Server 11 SP4

An update that has three fixes can now be installed.

Description:

This update for openssl-certs fixes the following issues:

The system SSL root certificate store was updated to Mozilla certificate version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996)

The old 1024 bit legacy CAs that were temporary left in to allow in-chain root certificates were removed as openssl is now able to handle them.

Further changes coming from Mozilla:

  • New Root CAs added:

  • Amazon Root CA 1: (email protection, server auth)

  • Amazon Root CA 2: (email protection, server auth)
  • Amazon Root CA 3: (email protection, server auth)
  • Amazon Root CA 4: (email protection, server auth)
  • Certplus Root CA G1: (email protection, server auth)
  • Certplus Root CA G2: (email protection, server auth)
  • D-TRUST Root CA 3 2013: (email protection)
  • GDCA TrustAUTH R5 ROOT: (server auth)
  • Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth)
  • Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth)
  • ISRG Root X1: (server auth)
  • LuxTrust Global Root 2: (server auth)
  • OpenTrust Root CA G1: (email protection, server auth)
  • OpenTrust Root CA G2: (email protection, server auth)
  • OpenTrust Root CA G3: (email protection, server auth)
  • SSL.com EV Root Certification Authority ECC: (server auth)
  • SSL.com EV Root Certification Authority RSA R2: (server auth)
  • SSL.com Root Certification Authority ECC: (email protection, server auth)
  • SSL.com Root Certification Authority RSA: (email protection, server auth)
  • Symantec Class 1 Public Primary Certification Authority - G4: (email protection)
  • Symantec Class 1 Public Primary Certification Authority - G6: (email protection)
  • Symantec Class 2 Public Primary Certification Authority - G4: (email protection)
  • Symantec Class 2 Public Primary Certification Authority - G6: (email protection)
  • TrustCor ECA-1: (email protection, server auth)
  • TrustCor RootCert CA-1: (email protection, server auth)
  • TrustCor RootCert CA-2: (email protection, server auth)

  • TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)

  • Removed root CAs:

  • AddTrust Public Services Root

  • AddTrust Public CA Root
  • AddTrust Qualified CA Root
  • ApplicationCA - Japanese Government
  • Buypass Class 2 CA 1
  • CA Disig Root R1
  • CA WoSign ECC Root
  • Certification Authority of WoSign G2
  • Certinomis - Autorité Racine
  • Certum Root CA
  • China Internet Network Information Center EV Certificates Root
  • CNNIC ROOT
  • Comodo Secure Services root
  • Comodo Trusted Services root
  • ComSign Secured CA
  • EBG Elektronik Sertifika Hizmet Sağlayıcısı
  • Equifax Secure CA
  • Equifax Secure eBusiness CA 1
  • Equifax Secure Global eBusiness CA
  • GeoTrust Global CA 2
  • IGC/A
  • Juur-SK
  • Microsec e-Szigno Root CA
  • PSCProcert
  • Root CA Generalitat Valenciana
  • RSA Security 2048 v3
  • Security Communication EV RootCA1
  • Sonera Class 1 Root CA
  • StartCom Certification Authority
  • StartCom Certification Authority G2
  • S-TRUST Authentication and Encryption Root CA 2005 PN
  • Swisscom Root CA 1
  • Swisscom Root EV CA 2
  • TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  • TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  • TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  • UTN USERFirst Hardware Root CA
  • UTN USERFirst Object Root CA
  • VeriSign Class 3 Secure Server CA - G2
  • Verisign Class 1 Public Primary Certification Authority
  • Verisign Class 2 Public Primary Certification Authority - G2
  • Verisign Class 3 Public Primary Certification Authority
  • WellsSecure Public Root Certificate Authority
  • Certification Authority of WoSign

  • WoSign China

  • Removed Code Signing rights from a lot of CAs (not listed here).

  • Removed Server Auth rights from:

  • AddTrust Low-Value Services Root

  • Camerfirma Chambers of Commerce Root
  • Camerfirma Global Chambersign Root
  • Swisscom Root CA 2

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Point of Service 11 SP3
    zypper in -t patch sleposp3-openssl-certs-13457=1
  • SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3
    zypper in -t patch slessp3-openssl-certs-13457=1
  • SUSE Linux Enterprise Server 11 SP4
    zypper in -t patch slessp4-openssl-certs-13457=1
  • SLES for SAP Applications 11-SP4
    zypper in -t patch slessp4-openssl-certs-13457=1

Package List:

  • SUSE Linux Enterprise Point of Service 11 SP3 (noarch)
    • openssl-certs-2.22-0.7.3.1
  • SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (noarch)
    • openssl-certs-2.22-0.7.3.1
  • SUSE Linux Enterprise Server 11 SP4 (noarch)
    • openssl-certs-2.22-0.7.3.1
  • SLES for SAP Applications 11-SP4 (noarch)
    • openssl-certs-2.22-0.7.3.1

References: