*** This bug is a duplicate of bug 1528645 ***
https://bugs.launchpad.net/bugs/1528645
Glad it's working. I didn't rehash, but that should just result in a
dangling symlink which shouldn't be valid. Thanks for testing with a
fresh rehash.
I'll mark this bug as a dupe of 1528645.
Thanks!
** This bug has been marked a duplicate of bug 1528645
Please update ca-certificates on Trusty
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1565293
Title:
OpenSSL 1.0.1 fails to recognize cross-signed roots as trusted
Status in openssl package in Ubuntu:
Incomplete
Bug description:
Google has it's own certificate authority "Google Internet Authority
G2", which is signed by "GeoTrust Global CA". GeoTrust's certificate
is already in the trust stores, but it's cross-signed by an older root
named "Equifax Secure Certificate Authority".
The Equifax uses a 1024 bit private key and has therefore been removed
by Mozilla in their library (NSS), see
https://bugzilla.mozilla.org/show_bug.cgi?id=1156844.
Issuance from 1024 bit roots has been stopped in 2010 or 2011 IIRC and
1024 bit keys are no longer safe enough, so the root has been excluded
from their root program. However, Ubuntu 12.04 and 14.04 do still ship
with that root in their trust store.
A bug in the currently default OpenSSL 1.0.1f (at least in 14.04)
causes OpenSSL to error if that root is missing, even if the previous
root certificate "GeoTrust Global CA" is already in the root and
therefore trusted. It seems like it doesn't stop on the first trusted
certificate but instead requires a complete chain, so requires the
"Equifax Secure Certificate Authority" to be in the trust store. That
behavior is fixed in OpenSSL 1.0.2.
All 1024 bit roots should be removed from the default trust stores as
soon as possible. For this to work, the OpenSSL bug has to be
backported first.
If this is not going to be fixed, at least in 2018, we'll have an
issue, because that's the date where "Equifax Secure Certificate
Authority" will expire. If Google and various other sites will not
change their root to be non-cross-signed, many connections will break
and fail.
Domains I know to use old cross-signed certificates: google.com,
yahoo.com. I didn't do any scans, those were just the first two I
tried.
The following will happen on Aug 22 2018 without a fix:
kelunik@example:~$ faketime '2018-08-23 00:00:00' openssl s_client -quiet
-verify_return_error -connect google.com:443 -CApath /usr/lib/ssl/certs
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify error:num=10:certificate has expired
notAfter=Aug 22 16:41:51 2018 GMT
verify return:0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1565293/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
