Changes

Mozilla [https://blog.mozilla.org/security/files/2015/04/CNNIC-MCS.pdf recommends] not trusting any certificates issued by this CA after 1st April 2015. We have a [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CNNICHashWhitelist.inc whitelist of older certificates], and tools to generate it. The code implementing this restriction is [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#753 in NSSthe Mozilla platform security code (PSM)], which is shared by the Mozilla applications (Firefox, Thunderbird, etc.).