Package: ca-certificates
Version: 20111211
Severity: normal

Verisign shipped G1 PCA Roots with md2 signatures on them. At some point,
they resigned those roots using SHA1, but requested that the original certs
keep shipping in Mozilla's cert list as they had issued intermediates with
AKIs that point to the MD2 versions.

See discussion here:
https://groups.google.com/forum/?fromgroups#!msg/mozilla.dev.security.policy/I6bUbW3WkBU/lRxqGv6vYHYJ

Now, ca-certificates uses a script called "certdata2pem.py" to extract the
certificates from the certdata.txt file provided by Mozilla into individual
files. Unfortunately, the script names the certificate file using the
CKA_LABEL. In two instances, the verisign md2 and sha1 certs have the same
CKA_LABEL, so the script is overwriting the first one (md2) with the second
one (sha1).

This results in the Verisign md2 certs being missing from the system ca certs.
This usually isn't a problem except in the case where a website is handing
out a complete cert chain, including the md2 root cert. When that happens,
webkit is unable to verify the md2 root cert, and the connection fails.

See reproducer in downstream bug report here:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1031333


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to