** Description changed: The client should load all available certificates instead of the - UbuntuOne*.pem ones. + UbuntuOne*.pem ones. [Impact] - This is needed as the server will change the certificates due to the recent SSL bug and it will not verify against the current loaded CA certificates. This change will be future-proof against any other changes to the certificate chain. - [Regression potential] - The use of all available certificates in the system certificate store, instead of a select few, increases the risk of a MITM attack by way of a weakest-link CA. However, many other packages use /etc/ssl/certs as their certificate store, so this problem would not be specific to UbuntuOne and it would be a critical security problem if any of the listed CAs were compromised. + This is needed as the server will change the certificates due to the + recent SSL bug and it will not verify against the current loaded CA + certificates. This change will be future-proof against any other + changes to the certificate chain. - [Test case] + [Test Case] + + A small protocol client is attached that connects and pings the server. + + In order to test it, we have the new certificates (with the chain, etc) + at staging: + + from the root of the branch: + + PYTHONPATH=. python2.7 ping_client.py staging + + or with the package installed: + + python2.7 ping_client.py staging + + [Regression Potential] + + The use of all available certificates in the system certificate store, + instead of a select few, increases the risk of a MITM attack by way of a + weakest-link CA. However, many other packages use /etc/ssl/certs as + their certificate store, so this problem would not be specific to + UbuntuOne and it would be a critical security problem if any of the + listed CAs were compromised.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
