Hello Marc, or anyone else affected, Accepted glib-networking into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/glib- networking/2.32.1-1ubuntu2 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Description changed: - TEST CASE: + [Impact] + Some SSL certificates which can legitimately be verified using known CAs will fail to verify due to wrong root certificates bundled with them over the wire. + + [Test Case] - run the reproducer script from comment #1 *or* - purchase something inside software-center that uses the "3dsecure" system to authenticate the credit card Verisign shipped G1 PCA Roots with md2 signatures on them. At some point, they resigned those same roots using SHA1. + + [Regression potential] + Minimal; the code path only changes behavior if the self-signed check fails, falling back to checking against certificates in the local database. + See discussion here: https://groups.google.com/forum/?fromgroups#!msg/mozilla.dev.security.policy/I6bUbW3WkBU/lRxqGv6vYHYJ In Ubuntu, the Verisign md2 certs do not ship in the system CA certs bundle, as the sha1 certs are being shipped instead. SSL libraries are supposed to verify certs with the sha1 G1 PCA Root just fine, even if the web site sends the md2 G1 PCA Root as part of the cert bundle. You can test this by using the following command: gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt --print-cert -p 443 secure-test.streamline-esolutions.com In older versions of libsoup, such as 2.36.1, this worked fine. Since libsoup 2.37.1, this is no longer working correctly. It seems glib-networking gtlsfiledatabase-gnutls.c:g_tls_file_database_gnutls_lookup_assertion() is attempting to validate the whole DER, which wouldn't properly accept the sha1 cert for validation. Attached is a reproducer. It will first attempt to validate the web site cert using the old md2 Root, and then will attempt with the sha1 Root. Both should succeed. With libsoup > 2.37, the sha1 Root fails verification. ** Changed in: glib-networking (Ubuntu Precise) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1033516 Title: libsoup fails to validate certain Verisign certificates To manage notifications about this bug go to: https://bugs.launchpad.net/glib-networking/+bug/1033516/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
