552540 – >app-misc/ca-certificates-20140927.3.17.2 should RDEPEND on >=dev-libs/openssl-1.0.1o

Bug 552540 - >app-misc/ca-certificates-20140927.3.17.2 should RDEPEND on >=dev-libs/openssl-1.0.1o

Summary: >app-misc/ca-certificates-20140927.3.17.2 should RDEPEND on >=dev-libs/openss...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-06-19 09:35 UTC by Thomas Deutschmann (RETIRED)
Modified:	2015-06-23 17:09 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2015-06-19 09:35:17 UTC

Hi,

see bug 548436.

In NSS 3.17.3 roots like GTE CyberTrust Global Root were removed.

Applications using <openssl-1.0.1o won't be able to verify SSL hosts using certs from these roots (like FB's akamai CDN).

When we RDEPEND on an openssl version which supports alternative certificate paths we would guarantee that people won't use a incompatible cert store (=forcing openssl upgrades, because we have multiple versions in tree).

See this discussion (http://thread.gmane.org/gmane.linux.gentoo.devel/88762) regarding the recommendation for specifying minimal version numbers.

Comment 1 SpanKY gentoo-dev

2015-06-23 17:09:52 UTC

should be all set now in the tree; thanks for the report!

Commit message: Force newer openssl so alternative certificate paths work smoothly
http://sources.gentoo.org/app-misc/ca-certificates/ca-certificates-20141019.3.17.4.ebuild?r1=1.1&r2=1.2
http://sources.gentoo.org/app-misc/ca-certificates/ca-certificates-20141019.3.19.ebuild?r1=1.2&r2=1.3