Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

2020-09-10 Thread Michael Holloway
Happy three-month bug birthday!  Any news?

Thanks,
Michael


Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

2020-08-05 Thread Michael Prokop
* Thomas Goirand [Wed Jul 15, 2020 at 02:48:20PM +0200]:

> Thanks for maintaining ca-certificates.

> I just wanted to let you know that a number of customers of $work are
> affected by this, and we would very much welcome a return of the
> GeoTrust Global CA.

> It'd be nice if the uploaders of the ca-certificates could state what
> they intend to do, so we could take the appropriate measure locally.

Is there any news or timeline, or is there something we could help
with to get this sorted out, Michael (Shuler)?

regards
-mika-


signature.asc
Description: Digital signature


Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

2020-07-15 Thread Thomas Goirand
Hi,

Thanks for maintaining ca-certificates.

I just wanted to let you know that a number of customers of $work are
affected by this, and we would very much welcome a return of the
GeoTrust Global CA.

It'd be nice if the uploaders of the ca-certificates could state what
they intend to do, so we could take the appropriate measure locally.

Cheers,

Thomas Goirand (zigo)



Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

2020-06-18 Thread Kim-Alexander Brodowski

Hello,

instead of re-enabling the GeoTrust root wouldn't it be much simpler to 
include the CA certificates outlined in 
https://wiki.mozilla.org/CA/Additional_Trust_Changes under Symantec 
instead? This would also render other non-trustworthy certificates from 
GeoTrust useless.


In the meantime we've pinned the root CA of Apple's offending endpoints, 
which is what their developer documentation suggests. I just fear that 
they might decide tomorrow that they want to change certificates after 
all. I'm not entirely convinced they'll serve multiple certificates for 
a transition period.


Kind regards.

On Wed, 17 Jun 2020 08:15:27 -0500 Michael Catanzaro 
 wrote:


> Hi,
>
> I asked Fedora's ca-certificates maintainer to comment on this. I
> didn't fully understand his reply, but he says this was some sort of
> mistake in Debian's package and not an upstream problem:
> https://bugzilla.redhat.com/show_bug.cgi?id=1845988#c3
>
> """
> So mozilla lists relevent changes between NSS processing and the raw
> cert trust database here:
> https://wiki.mozilla.org/CA/Additional_Trust_Changes . NSS was indeed
> whitelisting accepted intermediates, but it also didn't explicitly
> removed the target CA's from the trust list. It now uses
> CKA_NSS_SERVER_DISTRUST_AFTER to handle how it distrusts the given CA's.
>
> I've verified that the cert has not been removed from the current trust
> list, but CKA_NSS_SERVER_DISTRUST_AFTER has been set in the latest
> version. This means if the certs issued from this CA was issued after
> the specified date, then the trust would be distrusted, otherwise it
> will continue to be trusted.
>
> I suspect Debian took out the certs from the trust store altogether,
> rather than process the list straight from mozilla.
>
> Upshot: if you process CKA_NSS_SERVER_DISTRUST_AFTER, then you will get
> safer behavior, otherwise the ca's are still trusted in the latest list.
> """
>
> I suspect you have more broken certificates that need to be restored
> than just GeoTrust.
>
> Furthermore, last time we had a major Debian-specific certificate
> verification issue, we discovered that Debian is not actually capable
> of restoring previously-removed certificates without manual user
> intervention, see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339. That means
> that even once these certificates are restored, users who have already
> updated to the affected version of ca-certificates will suffer
> permanently broken certificate verification unless they have found this
> bug report and know to take manual intervention, because the
> certificates will remain disabled locally.
>
> Michael
>
>
>
>

--
Mit freundlichen Grüßen
Kim-Alexander Brodowski

IServ GmbH
Entwicklung
Bültenweg 73
38106 Braunschweig

Telefon:   +49 531 22 43 666-0
Mobil: +49 152 55 17 55 16
Fax:   +49 531 22 43 666-9
E-Mail:kim.brodow...@iserv.eu
Internet:  https://iserv.eu

USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822
Geschäftsführer: Benjamin Heindl, Martin Hüppe, Jörg Ludwig
Grundsätze zum Datenschutz: https://iserv.eu/privacy



Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

2020-06-11 Thread Carlos Alberto Lopez Perez
On 11/06/2020 18:34, Michael Borg wrote:
> Yep I know but I cannot tell all my customers to run this workaround, some
> of our users are not experienced at all The only thing I see here is
> that I need to provide a hotfix ourselves. We cannot wait for days... You
> are saying we cannot make an exception and push this fix ASAP?

Pushing packages to Debian takes time. If you need something for today you need 
to fix it yourself.

You can downgrade to the old version of the package ca-certificates or install 
the missed certificate manually

This recipe allows to do that:

wget --no-check-certificate -c 
https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
   \
&& mkdir /usr/local/share/ca-certificates/extra 
  \
&& mv GeoTrust_Global_CA.pem 
/usr/local/share/ca-certificates/extra/GeoTrust_Global_CA.crt   
 \
&& update-ca-certificates

And when you upgrade to the fixed version of ca-certificates you can remove the 
directory /usr/local/share/ca-certificates/extra 
and run the command update-ca-certificates again.



signature.asc
Description: OpenPGP digital signature


Processed: Re: Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

2020-06-11 Thread Debian Bug Tracking System
Processing control commands:

> severity -1 serious
Bug #962596 [ca-certificates] ca-certificates: Removal of GeoTrust Global CA 
requires investigation
Severity set to 'serious' from 'important'
> tags -1 + pending
Bug #962596 [ca-certificates] ca-certificates: Removal of GeoTrust Global CA 
requires investigation
Added tag(s) pending.
> tags 942915 + pending
Bug #942915 [src:ca-certificates] ca-certificates: Python2 removal in 
sid/bullseye
Ignoring request to alter tags of bug #942915 to the same tags previously set

-- 
942915: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942915
962596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems