Update data/other/cacert.pem
Bug description
The data/other/cacert.pem is quite outdated. For example some of the CA certificates in data/other/cacert.pem are expired: ABA.ECOM Root CA Expires: 09.07.2009 beTRUSTed Root CAs Expires: 20.06.2010 DST RootCA X1 Expires: 28.11.2008 DST RootCA X2 Expires: 27.11.2008 GTE CyberTrust Root Expires: 23.02.2006 IPS SERVIDORES Expires: 29.12.2009 cacerts.pem - TC TrustCenter Class 3 CA Expires: 01.01.2011 Class 1 Public Primary OCSP Responder Expires: 03.08.2004 Class 2 Public Primary OCSP Responder Expires: 31.07.2004 Class 3 Public Primary OCSP Responder Expires: 03.08.2004 cacerts.pem - RSA Data Security, Inc., Secure Server Certification Authority Expires: 07.01.2010 Secure Server OCSP Responder Expires: 03.08.2004 VeriSign Time Stamping Authority CA Expires: 25.09.2010 StartCom Class 1 Intermediate CA - Jabber Software Foundation Expires: 02.12.2011
Will expire soon: GlobalSign Root CA Expires: 28.01.2014
Some of the CA certificates in cacert.pem use only 1024 bit RSA keys. This is too short good protection, for example Mozilla CA Certificate Maintenance Policy allows RSA 1024 bits only until December 31, 2013. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
Fix
Update the cacert.pem. I strongly recommend to not use cacert.pem, when the operating system provides system CA certificates - for example on Linux platform /etc/ssl/certs , because CA certificates are critical for SSL security. The system CA certificates are regularly updated with operating system, so we don't have to ship and regularly update the newest CA certificates with Gajim.