[Bug 1722411] [NEW] gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Launchpad Bug Tracker
1722411 at bugs.launchpad.net
Mon Oct 9 21:51:59 UTC 2017
You have been subscribed to a public bug by Anders Kaseorg (andersk):
[Impact]
Recently, due to some combination of the recent ca-certificate SRU and
server certificate chain reconfigurations, the gnutls28 package in
trusty was left unable to validate many valid certificate chains, such
as that of google.com.
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
The problem is that although GeoTrust Global CA is a trusted
certificate, gnutls28 gives up after noting that Equifax Secure
Certificate Authority is not. This bug was fixed upstream by these
commits:
https://gitlab.com/gnutls/gnutls/commit/72a7b8e63f76c7f2faf482bdbf4e740b82a1fae9
https://gitlab.com/gnutls/gnutls/commit/9dbe3aab9e157ef8f7a67112a4619d4f028519dc
https://gitlab.com/gnutls/gnutls/commit/d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31
[Test Case]
One way to reproduce this is by building and running gnutls-cli:
$ apt-get build-dep gnutls28
$ apt-get source gnutls28
$ cd gnutls28-3.2.11
$ debian/rules build
$ ./src/gnutls-cli google.com
Processed 118 CA certificate(s).
Resolving 'google.com'...
Connecting to '2607:f8b0:4009:811::200e:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', EC key 256 bits, signed using RSA-SHA256, activated `2017-09-26 11:09:35 UTC', expires `2017-12-19 10:59:00 UTC', SHA-1 fingerprint `a2a8d7ae1097865469dd5cf830896b930b704c8c'
Public Key ID:
e3e4e591a11311b8c92f8cddbebbea025d0e2088
Public key's random art:
+--[ EC 256]----+
|o .o. |
|E . . . |
| . . . o. . |
| . = o o |
| . B oS + |
| . o =+o= . |
| . oo . |
| . . |
| oo.++ |
+-----------------+
- Certificate[1] info:
- subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2017-05-22 11:32:37 UTC', expires `2018-12-31 23:59:59 UTC', SHA-1 fingerprint `a6120fc0b4664fad0b3b6ffd5f7a33e561ddb87d'
- Certificate[2] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
(Note that the gnutls-cli binary in trusty’s gnutls-bin package comes
from gnutls26, which seems to have already received the necessary
updates, although it requires the ‘--x509cafile /etc/ssl/certs/ca-
certificates.crt’ option.)
[Regression Potential]
Most GnuTLS-dependent packages in trusty use gnutls26 rather than
gnutls28, so potential regressions, if any, would likely manifest in
self-compiled binaries and PPA packages that were specifically compiled
against gnutls28. (I noticed this bug in the first place because vlc
from ppa:jonathonf/vlc became unable to play YouTube videos.)
** Affects: gnutls28 (Ubuntu)
Importance: Undecided
Status: New
** Tags: trusty
--
gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
https://bugs.launchpad.net/bugs/1722411
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list