** Description changed:
TEST CASE:
- 1. install epiphany-browser
- 2. run "epiphany-browser https://secure-test.streamline-esolutions.com";
- 3. verify that there is a "!" sign in the lock symbol in the top right (last
bit of the url bar)
- 4. install the updated glib-networking
- 5. repeat step 2
- 6. verify that the "lock" symbol is a lock without a "!" mark
+ - run the reproducer script from comment #1
+ *or*
+ - purchase something inside software-center that uses the "3dsecure" system
to authenticate the credit card
Verisign shipped G1 PCA Roots with md2 signatures on them. At some point, they
resigned those same roots using SHA1.
See discussion here:
https://groups.google.com/forum/?fromgroups#!msg/mozilla.dev.security.policy/I6bUbW3WkBU/lRxqGv6vYHYJ
In Ubuntu, the Verisign md2 certs do not ship in the system CA certs bundle,
as
the sha1 certs are being shipped instead. SSL libraries are supposed to verify
certs with the sha1 G1 PCA Root just fine, even if the web site sends the md2
G1 PCA Root as part of the cert bundle.
You can test this by using the following command:
gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt --print-cert -p 443
secure-test.streamline-esolutions.com
In older versions of libsoup, such as 2.36.1, this worked fine. Since libsoup
2.37.1, this is no longer working correctly. It seems glib-networking
gtlsfiledatabase-gnutls.c:g_tls_file_database_gnutls_lookup_assertion() is
attempting to validate the whole DER, which wouldn't properly accept the sha1
cert for validation.
Attached is a reproducer. It will first attempt to validate the web site cert
using the old md2 Root, and then will attempt with the sha1 Root. Both should
succeed. With libsoup > 2.37, the sha1 Root fails verification.
** Also affects: glib-networking (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: glib-networking (Ubuntu)
Importance: Undecided => High
** Changed in: glib-networking (Ubuntu Precise)
Importance: Undecided => High
** Changed in: glib-networking (Ubuntu)
Status: Confirmed => In Progress
** Changed in: glib-networking (Ubuntu Precise)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1033516
Title:
libsoup fails to validate certain Verisign certificates
To manage notifications about this bug go to:
https://bugs.launchpad.net/glib-networking/+bug/1033516/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
