Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation
Happy three-month bug birthday! Any news? Thanks, Michael
Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation
* Thomas Goirand [Wed Jul 15, 2020 at 02:48:20PM +0200]: > Thanks for maintaining ca-certificates. > I just wanted to let you know that a number of customers of $work are > affected by this, and we would very much welcome a return of the > GeoTrust Global CA. > It'd be nice if the uploaders of the ca-certificates could state what > they intend to do, so we could take the appropriate measure locally. Is there any news or timeline, or is there something we could help with to get this sorted out, Michael (Shuler)? regards -mika- signature.asc Description: Digital signature
Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation
Hi, Thanks for maintaining ca-certificates. I just wanted to let you know that a number of customers of $work are affected by this, and we would very much welcome a return of the GeoTrust Global CA. It'd be nice if the uploaders of the ca-certificates could state what they intend to do, so we could take the appropriate measure locally. Cheers, Thomas Goirand (zigo)
Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation
Hello, instead of re-enabling the GeoTrust root wouldn't it be much simpler to include the CA certificates outlined in https://wiki.mozilla.org/CA/Additional_Trust_Changes under Symantec instead? This would also render other non-trustworthy certificates from GeoTrust useless. In the meantime we've pinned the root CA of Apple's offending endpoints, which is what their developer documentation suggests. I just fear that they might decide tomorrow that they want to change certificates after all. I'm not entirely convinced they'll serve multiple certificates for a transition period. Kind regards. On Wed, 17 Jun 2020 08:15:27 -0500 Michael Catanzaro wrote: > Hi, > > I asked Fedora's ca-certificates maintainer to comment on this. I > didn't fully understand his reply, but he says this was some sort of > mistake in Debian's package and not an upstream problem: > https://bugzilla.redhat.com/show_bug.cgi?id=1845988#c3 > > """ > So mozilla lists relevent changes between NSS processing and the raw > cert trust database here: > https://wiki.mozilla.org/CA/Additional_Trust_Changes . NSS was indeed > whitelisting accepted intermediates, but it also didn't explicitly > removed the target CA's from the trust list. It now uses > CKA_NSS_SERVER_DISTRUST_AFTER to handle how it distrusts the given CA's. > > I've verified that the cert has not been removed from the current trust > list, but CKA_NSS_SERVER_DISTRUST_AFTER has been set in the latest > version. This means if the certs issued from this CA was issued after > the specified date, then the trust would be distrusted, otherwise it > will continue to be trusted. > > I suspect Debian took out the certs from the trust store altogether, > rather than process the list straight from mozilla. > > Upshot: if you process CKA_NSS_SERVER_DISTRUST_AFTER, then you will get > safer behavior, otherwise the ca's are still trusted in the latest list. > """ > > I suspect you have more broken certificates that need to be restored > than just GeoTrust. > > Furthermore, last time we had a major Debian-specific certificate > verification issue, we discovered that Debian is not actually capable > of restoring previously-removed certificates without manual user > intervention, see > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339. That means > that even once these certificates are restored, users who have already > updated to the affected version of ca-certificates will suffer > permanently broken certificate verification unless they have found this > bug report and know to take manual intervention, because the > certificates will remain disabled locally. > > Michael > > > > -- Mit freundlichen Grüßen Kim-Alexander Brodowski IServ GmbH Entwicklung Bültenweg 73 38106 Braunschweig Telefon: +49 531 22 43 666-0 Mobil: +49 152 55 17 55 16 Fax: +49 531 22 43 666-9 E-Mail:kim.brodow...@iserv.eu Internet: https://iserv.eu USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822 Geschäftsführer: Benjamin Heindl, Martin Hüppe, Jörg Ludwig Grundsätze zum Datenschutz: https://iserv.eu/privacy
Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation
On 11/06/2020 18:34, Michael Borg wrote: > Yep I know but I cannot tell all my customers to run this workaround, some > of our users are not experienced at all The only thing I see here is > that I need to provide a hotfix ourselves. We cannot wait for days... You > are saying we cannot make an exception and push this fix ASAP? Pushing packages to Debian takes time. If you need something for today you need to fix it yourself. You can downgrade to the old version of the package ca-certificates or install the missed certificate manually This recipe allows to do that: wget --no-check-certificate -c https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem \ && mkdir /usr/local/share/ca-certificates/extra \ && mv GeoTrust_Global_CA.pem /usr/local/share/ca-certificates/extra/GeoTrust_Global_CA.crt \ && update-ca-certificates And when you upgrade to the fixed version of ca-certificates you can remove the directory /usr/local/share/ca-certificates/extra and run the command update-ca-certificates again. signature.asc Description: OpenPGP digital signature
Processed: Re: Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation
Processing control commands: > severity -1 serious Bug #962596 [ca-certificates] ca-certificates: Removal of GeoTrust Global CA requires investigation Severity set to 'serious' from 'important' > tags -1 + pending Bug #962596 [ca-certificates] ca-certificates: Removal of GeoTrust Global CA requires investigation Added tag(s) pending. > tags 942915 + pending Bug #942915 [src:ca-certificates] ca-certificates: Python2 removal in sid/bullseye Ignoring request to alter tags of bug #942915 to the same tags previously set -- 942915: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942915 962596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
