This bug was fixed in the package ca-certificates - 20210119ubuntu1
---------------
ca-certificates (20210119ubuntu1) impish; urgency=medium
[ Dimitri John Ledkov ]
* mozilla/blacklist.txt: blacklist expired "DST Root CA X3".
(LP: #1944481)
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 22 Sep 2021
07:46:54 -0400
** Changed in: ca-certificates (Ubuntu Impish)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1944481
Title:
Distrust "DST Root CA X3"
Status in ca-certificates package in Ubuntu:
Fix Released
Status in ca-certificates source package in Trusty:
Fix Released
Status in ca-certificates source package in Xenial:
Fix Released
Status in ca-certificates source package in Bionic:
Fix Released
Status in ca-certificates source package in Focal:
Fix Released
Status in ca-certificates source package in Hirsute:
Fix Released
Status in ca-certificates source package in Impish:
Fix Released
Bug description:
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which
cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated
cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that
reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial,
however trusty systems remain affected. Also any self built old copies of
openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates
package as described at
https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4
- connectivity to sites chained to "DST Root CA X3" will be unaffected, and
servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to
work unmodified.
* This is similar to how this was handled for AddTrust before
"* mozilla/blacklist.txt: blacklist expired AddTrust External Root
CA."
[Test Plan]
* Install old/current ca-certificates faketime wget curl
libcurl3-gnutls
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1,
49.12.37.5
Connecting to pskov.surgut.co.uk
(pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by
'/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.
# LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime
2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
* Install new ca-certificates package
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1,
49.12.37.5
Connecting to pskov.surgut.co.uk
(pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612 [text/html]
Saving to: 'index.html.3'
100%[====================================================>] 612
--.-K/s in 0s
2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01
curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 5794 0 --:--:-- --:--:-- --:--:-- 5828
Download is successful.
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime
set to dates prior to 30th of September 2021 will not work, as "DST
Root CA X3" certificate is no longer installed. users should locally
install and enable that CA certificate, or allow dangerous unverified
connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
