[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com

Anders Kaseorg andersk at mit.edu
Wed Jun 27 22:24:50 UTC 2018 

Er, yeah, this has been working for me.  Thanks for the reminder to
actually set the tags.

** Tags removed: verification-needed verification-needed-trusty
** Tags added: verification-done verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1722411

Title:
  gnutls28 in trusty no longer validates many valid certificate chains,
  such as google.com

Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Trusty:
  Fix Committed

Bug description:
  [Impact]

  Recently, due to some combination of the recent ca-certificate SRU and
  server certificate chain reconfigurations, the gnutls28 package in
  trusty was left unable to validate many valid certificate chains, such
  as that of google.com.

   0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
     i:/C=US/O=Google Inc/CN=Google Internet Authority G2
   1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
     i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

  The problem is that although GeoTrust Global CA is a trusted
  certificate, gnutls28 gives up after noting that Equifax Secure
  Certificate Authority is not.  This bug was fixed upstream by these
  commits:

  https://gitlab.com/gnutls/gnutls/commit/72a7b8e63f76c7f2faf482bdbf4e740b82a1fae9
  https://gitlab.com/gnutls/gnutls/commit/9dbe3aab9e157ef8f7a67112a4619d4f028519dc
  https://gitlab.com/gnutls/gnutls/commit/d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31

  [Test Case]

  One way to reproduce this is by building and running gnutls-cli:

  $ apt-get build-dep gnutls28
  $ apt-get source gnutls28
  $ cd gnutls28-3.2.11
  $ debian/rules build
  $ ./src/gnutls-cli google.com
  Processed 118 CA certificate(s).
  Resolving 'google.com'...
  Connecting to '2607:f8b0:4009:811::200e:443'...
  - Certificate type: X.509
  - Got a certificate list of 3 certificates.
  - Certificate[0] info:
   - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', EC key 256 bits, signed using RSA-SHA256, activated `2017-09-26 11:09:35 UTC', expires `2017-12-19 10:59:00 UTC', SHA-1 fingerprint `a2a8d7ae1097865469dd5cf830896b930b704c8c'
  	Public Key ID:
  		e3e4e591a11311b8c92f8cddbebbea025d0e2088
  	Public key's random art:
  		+--[  EC  256]----+
  		|o      .o.       |
  		|E .   .  .       |
  		| . . . o. .      |
  		|    . =  o o     |
  		|   . B oS +      |
  		|  . o =+o= .     |
  		|   .   oo .      |
  		|    .   .        |
  		|     oo.++       |
  		+-----------------+

  - Certificate[1] info:
   - subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2017-05-22 11:32:37 UTC', expires `2018-12-31 23:59:59 UTC', SHA-1 fingerprint `a6120fc0b4664fad0b3b6ffd5f7a33e561ddb87d'
  - Certificate[2] info:
   - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
  - Status: The certificate is NOT trusted. The certificate issuer is unknown. 
  *** Verifying server certificate failed...
  *** Fatal error: Error in the certificate.
  *** Handshake has failed
  GnuTLS error: Error in the certificate.

  (Note that the gnutls-cli binary in trusty’s gnutls-bin package comes
  from gnutls26, which seems to have already received the necessary
  updates, although it requires the ‘--x509cafile /etc/ssl/certs/ca-
  certificates.crt’ option.)

  [Regression Potential]

  Most GnuTLS-dependent packages in trusty use gnutls26 rather than
  gnutls28, so potential regressions, if any, would likely manifest in
  self-compiled binaries and PPA packages that were specifically
  compiled against gnutls28.  (I noticed this bug in the first place
  because vlc from ppa:jonathonf/vlc became unable to play YouTube
  videos.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions

More information about the Ubuntu-sponsors mailing list