** Patch added: "debdiff for quantal with the patch from Stef" https://bugs.launchpad.net/ubuntu/+source/glib-networking/+bug/1033516/+attachment/3255713/+files/glib-networking_2.33.8-0ubuntu3.debdiff
** Description changed: + TEST CASE: + 1. install epiphany-browser + 2. run "epiphany-browser https://secure-test.streamline-esolutions.com"; + 3. verify that there is a "!" sign in the lock symbol in the top right (last bit of the url bar) + 4. install the updated glib-networking + 5. repeat step 2 + 6. verify that the "lock" symbol is a lock without a "!" mark + Verisign shipped G1 PCA Roots with md2 signatures on them. At some point, they resigned those same roots using SHA1. See discussion here: https://groups.google.com/forum/?fromgroups#!msg/mozilla.dev.security.policy/I6bUbW3WkBU/lRxqGv6vYHYJ In Ubuntu, the Verisign md2 certs do not ship in the system CA certs bundle, as the sha1 certs are being shipped instead. SSL libraries are supposed to verify certs with the sha1 G1 PCA Root just fine, even if the web site sends the md2 G1 PCA Root as part of the cert bundle. You can test this by using the following command: gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt --print-cert -p 443 secure-test.streamline-esolutions.com In older versions of libsoup, such as 2.36.1, this worked fine. Since libsoup 2.37.1, this is no longer working correctly. It seems glib-networking gtlsfiledatabase-gnutls.c:g_tls_file_database_gnutls_lookup_assertion() is attempting to validate the whole DER, which wouldn't properly accept the sha1 cert for validation. Attached is a reproducer. It will first attempt to validate the web site cert using the old md2 Root, and then will attempt with the sha1 Root. Both should succeed. With libsoup > 2.37, the sha1 Root fails verification. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1033516 Title: libsoup fails to validate certain Verisign certificates To manage notifications about this bug go to: https://bugs.launchpad.net/glib-networking/+bug/1033516/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
