[ET Trac] [Einstein Toolkit] #1061: Certificate failure
Einstein Toolkit
trac-noreply at einsteintoolkit.org
Wed Oct 17 10:29:38 CDT 2012
#1061: Certificate failure
--------------------------------------+-------------------------------------
Reporter: eschnett | Owner:
Type: enhancement | Status: reopened
Priority: minor | Milestone:
Component: EinsteinToolkit website | Version:
Resolution: | Keywords:
--------------------------------------+-------------------------------------
Comment (by knarf):
I don't think this is a financial aspect. Root certificates, like any
certificate, have a life span. Older systems eventually do not only have a
problem because they cannot trust new root certificates, the ones they do
trust eventually all expire. For this mechanism to work the list of
trusted certificates needs to be updated from time to time. There is no
way for us to change this.
You say that this is a problem on a "very popular OS". Do you have more
information about that OS? A lot of the tools mentioned (wget, curl) use
libraries like openssl under their hood. Which version of openssl is
installed there?
My current Debian system (released Feb. 2011) ships with OpenSSL 0.9.8o 01
Jun 2010. This seems to be sufficient for 'our' root certificate. QueenBee
on the other hand runs RHEL 4.5, released 2007-05-01 and uses OpenSSL
0.9.7d 17 Mar 2004. Unless the list of certificates was updated in the
meantime the list of trusted certificates there is over 8 years old. I
don't think you will find so many root certificates that had been valid at
that time, will still be in some years and are still used to sign other
certificates.
The problem can really only be solved by updating the list of trusted
certificates - either (ideally) by the vendor, by the system
administrator, or otherwise by the user.
--
Ticket URL: <https://trac.einsteintoolkit.org/ticket/1061#comment:8>
Einstein Toolkit <http://einsteintoolkit.org>
The Einstein Toolkit
More information about the Trac
mailing list