[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones

Wed, 30 Apr 2014 16:06:21 -0700 

Hi folks,

I've filled out the SRU template for this bug as best I can based on the
package in the queue.  However, I don't consider the test case included
in the source to be sufficient; the test case merely duplicates the code
in the get_certificates() call itself, but does not prove that loading
the certificates in this way will work with either the current
production certificate, or the future replacement certificate.  Could
someone please provide an appropriate test for this?  (Does not have to
be an automated test in python - a text "how to test" in the bug
description is sufficient.)

** Description changed:

  The client should load all available certificates instead of the
  UbuntuOne*.pem  ones.
  
- This is needed as the server will change the certificates due to the
- recent SSL bug and it will not verify against the current loaded CA
- certificates.
+ [Impact]
+ This is needed as the server will change the certificates due to the recent 
SSL bug and it will not verify against the current loaded CA certificates.  
This change will be future-proof against any other changes to the certificate 
chain.
+ 
+ [Regression potential]
+ The use of all available certificates in the system certificate store, 
instead of a select few, increases the risk of a MITM attack by way of a 
weakest-link CA.  However, many other packages use /etc/ssl/certs as their 
certificate store, so this problem would not be specific to UbuntuOne and it 
would be a critical security problem if any of the listed CAs were compromised.
+ 
+ [Test case]

** Changed in: ubuntuone-storage-protocol (Ubuntu Precise)
       Status: In Progress => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1307549

Title:
  Should load all available CA Certificates and not just the u1
  bundled/shipped ones

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to