[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com

Łukasz Zemczak 1722411 at bugs.launchpad.net
Thu Jun 28 07:35:30 UTC 2018 

Which version of the package is working for you? Test verification
should include package version information for us to be sure that we're
releasing the same version of the package that has been tested.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1722411

Title:
  gnutls28 in trusty no longer validates many valid certificate chains,
  such as google.com

Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Trusty:
  Fix Committed

Bug description:
  [Impact]

  Recently, due to some combination of the recent ca-certificate SRU and
  server certificate chain reconfigurations, the gnutls28 package in
  trusty was left unable to validate many valid certificate chains, such
  as that of google.com.

   0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
     i:/C=US/O=Google Inc/CN=Google Internet Authority G2
   1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
     i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

  The problem is that although GeoTrust Global CA is a trusted
  certificate, gnutls28 gives up after noting that Equifax Secure
  Certificate Authority is not.  This bug was fixed upstream by these
  commits:

  https://gitlab.com/gnutls/gnutls/commit/72a7b8e63f76c7f2faf482bdbf4e740b82a1fae9
  https://gitlab.com/gnutls/gnutls/commit/9dbe3aab9e157ef8f7a67112a4619d4f028519dc
  https://gitlab.com/gnutls/gnutls/commit/d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31

  [Test Case]

  One way to reproduce this is by building and running gnutls-cli:

  $ apt-get build-dep gnutls28
  $ apt-get source gnutls28
  $ cd gnutls28-3.2.11
  $ debian/rules build
  $ ./src/gnutls-cli google.com
  Processed 118 CA certificate(s).
  Resolving 'google.com'...
  Connecting to '2607:f8b0:4009:811::200e:443'...
  - Certificate type: X.509
  - Got a certificate list of 3 certificates.
  - Certificate[0] info:
   - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', EC key 256 bits, signed using RSA-SHA256, activated `2017-09-26 11:09:35 UTC', expires `2017-12-19 10:59:00 UTC', SHA-1 fingerprint `a2a8d7ae1097865469dd5cf830896b930b704c8c'
  	Public Key ID:
  		e3e4e591a11311b8c92f8cddbebbea025d0e2088
  	Public key's random art:
  		+--[  EC  256]----+
  		|o      .o.       |
  		|E .   .  .       |
  		| . . . o. .      |
  		|    . =  o o     |
  		|   . B oS +      |
  		|  . o =+o= .     |
  		|   .   oo .      |
  		|    .   .        |
  		|     oo.++       |
  		+-----------------+

  - Certificate[1] info:
   - subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2017-05-22 11:32:37 UTC', expires `2018-12-31 23:59:59 UTC', SHA-1 fingerprint `a6120fc0b4664fad0b3b6ffd5f7a33e561ddb87d'
  - Certificate[2] info:
   - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
  - Status: The certificate is NOT trusted. The certificate issuer is unknown. 
  *** Verifying server certificate failed...
  *** Fatal error: Error in the certificate.
  *** Handshake has failed
  GnuTLS error: Error in the certificate.

  (Note that the gnutls-cli binary in trusty’s gnutls-bin package comes
  from gnutls26, which seems to have already received the necessary
  updates, although it requires the ‘--x509cafile /etc/ssl/certs/ca-
  certificates.crt’ option.)

  [Regression Potential]

  Most GnuTLS-dependent packages in trusty use gnutls26 rather than
  gnutls28, so potential regressions, if any, would likely manifest in
  self-compiled binaries and PPA packages that were specifically
  compiled against gnutls28.  (I noticed this bug in the first place
  because vlc from ppa:jonathonf/vlc became unable to play YouTube
  videos.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions

More information about the Ubuntu-sponsors mailing list