This bug was fixed in the package openssl - 1.1.1f-1ubuntu4.4
---
openssl (1.1.1f-1ubuntu4.4) groovy; urgency=medium
* Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0
to validate, as it is common on self-signed leaf certificates.
(LP: #1926254)
-
This bug was fixed in the package openssl - 1.1.1f-1ubuntu2.4
---
openssl (1.1.1f-1ubuntu2.4) focal; urgency=medium
* Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0
to validate, as it is common on self-signed leaf certificates.
(LP: #1926254)
-
Performing verification for Groovy.
I went and generated the ssl certificates and attempted to verify them with
the openssl version 1.1.1f-1ubuntu4.3 from -updates.
ubuntu@deep-mako:~$ sudo apt-cache policy openssl | grep Installed
Installed: 1.1.1f-1ubuntu4.3
ubuntu@deep-mako:~$ mkdir
Performing verification for Focal
Generating the ssl certificates, and reproducing the problem with version
1.1.1f-1ubuntu2.3 from -updates.
ubuntu@select-lobster:~$ sudo apt-cache policy openssl | grep Installed
Installed: 1.1.1f-1ubuntu2.3
ubuntu@select-lobster:~$ mkdir reproducer
I very much appreciate the security review by Seth here. When I first
started reading this bug I was going to insist on having a security
review, but then I saw you've already taken care to arrange that. Thank
you!
** Changed in: openssl (Ubuntu Groovy)
Status: In Progress => Fix Committed
uploaded to f/g, thanks!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1926254
Title:
x509 Certificate verification fails when
basicConstraints=CA:FALSE,pathlen:0 on
Matthew, thanks so much! sounds good to me.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1926254
Title:
x509 Certificate verification fails when
Hi Seth,
Thanks for the review.
I read the commit you found:
commit 1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e
Author: Dr. David von Oheimb
Date: Sat Jun 27 16:16:12 2020 +0200
Subject: Extend X509 cert checks and error reporting in v3_{purp,crld}.c and
x509_{set,vfy}.c
Link:
Hello Dan and Matthew, thanks for working on this. I gave the debdiffs a
look, skimmed through openssl changes, and don't see any reason to not
do this. There *are* larger changes to that function in
https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e
-- but it's a
added ubuntu-security to the bug, just for quick review to make sure
they don't object to the patch
I can sponsor this to -updates if there's no objection
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
** Tags added: sts-sponsor
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1926254
Title:
x509 Certificate verification fails when
basicConstraints=CA:FALSE,pathlen:0 on
Attached is a debdiff for openssl on Groovy which fixes this bug.
** Patch added: "Debdiff for openssl on Groovy"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254/+attachment/5493443/+files/lp1926254_groovy.debdiff
--
You received this bug notification because you are a member
Attached is a debdiff for openssl on Focal which fixes this bug.
** Patch added: "Debdiff for openssl on focal"
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1926254/+attachment/5493442/+files/lp1926254_focal.debdiff
--
You received this bug notification because you are a member of
** Description changed:
[Impact]
In openssl 1.1.1f, the below commit was merged:
commit ba4356ae4002a04e28642da60c551877eea804f7
Author: Bernd Edlinger
Date: Sat Jan 4 15:54:53 2020 +0100
Subject: Fix error handling in x509v3_cache_extensions and related functions
Link:
14 matches
Mail list logo
