[Bug 305264] [NEW] gnutls regression: failure in certificate chain validation

Thu, 04 Dec 2008 12:06:56 -0800 

Public bug reported:

I noticed recently that landscape-client could no longer contact our
staging server. Fortunately, contacting the production server is still
ok.

This command is an easy way to reproduce the problem. It is failing
against staging.landscape.canonical.com:

gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt
staging.landscape.canonical.com

I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works
in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get
an update.

I concentrated the rest of my tests in dapper.

With libgnutls12_1.2.9-2ubuntu1_i386.deb it works.
With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks.

Here is the chain as seen by gnutls against staging.landscape.canonical.com:
[0]
Subject's DN: O=*.landscape.canonical.com,OU=Domain Control 
Validated,CN=*.landscape.canonical.com
Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, 
Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure 
Certification Authority,serialNumber=07969287

[1]
Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, 
Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure 
Certification Authority,serialNumber=07969287
Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification 
Authority

[2]
Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 
Certification Authority
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 
2 Policy Validation Authority,CN=http://www.valicert.com/,[EMAIL PROTECTED]

[3]
Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 
2 Policy Validation Authority,CN=http://www.valicert.com/,[EMAIL PROTECTED]
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 
2 Policy Validation Authority,CN=http://www.valicert.com/,[EMAIL PROTECTED]


Notice that the last certificate in the chain is the CA certificate, which is 
self signed. I wonder if the recent security fix broke that:
    - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
      if it is self-signed in lib/x509/verify.c

Here is openssl's chain against the same site (staging):
Certificate chain
 0 s:/O=*.landscape.canonical.com/OU=Domain Control 
Validated/CN=*.landscape.canonical.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification 
Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification 
Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy 
Validation Authority/CN=http://www.valicert.com//[EMAIL PROTECTED]
 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy 
Validation Authority/CN=http://www.valicert.com//[EMAIL PROTECTED]
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy 
Validation Authority/CN=http://www.valicert.com//[EMAIL PROTECTED]

Openssl's s_client tool works, btw.

** Affects: landscape
     Importance: High
         Status: New

** Affects: landscape-client
     Importance: Undecided
         Status: New

** Affects: gnutls12 (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: landscape
   Importance: Undecided
       Status: New

** Changed in: landscape
   Importance: Undecided => Critical
       Target: None => mountainview-pre-2

** Changed in: landscape
   Importance: Critical => High

** Also affects: landscape-client
   Importance: Undecided
       Status: New

-- 
gnutls regression: failure in certificate chain validation
https://bugs.launchpad.net/bugs/305264
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to