Public bug reported: [Impact]
Recently, due to some combination of the recent ca-certificate SRU and server certificate chain reconfigurations, the gnutls28 package in trusty was left unable to validate many valid certificate chains, such as that of google.com. 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority The problem is that although GeoTrust Global CA is a trusted certificate, gnutls28 gives up after noting that Equifax Secure Certificate Authority is not. This bug was fixed upstream by these commits: https://gitlab.com/gnutls/gnutls/commit/72a7b8e63f76c7f2faf482bdbf4e740b82a1fae9 https://gitlab.com/gnutls/gnutls/commit/9dbe3aab9e157ef8f7a67112a4619d4f028519dc https://gitlab.com/gnutls/gnutls/commit/d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31 [Test Case] One way to reproduce this is by building and running gnutls-cli: $ apt-get build-dep gnutls28 $ apt-get source gnutls28 $ cd gnutls28-3.2.11 $ debian/rules build $ ./src/gnutls-cli google.com Processed 118 CA certificate(s). Resolving 'google.com'... Connecting to '2607:f8b0:4009:811::200e:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', EC key 256 bits, signed using RSA-SHA256, activated `2017-09-26 11:09:35 UTC', expires `2017-12-19 10:59:00 UTC', SHA-1 fingerprint `a2a8d7ae1097865469dd5cf830896b930b704c8c' Public Key ID: e3e4e591a11311b8c92f8cddbebbea025d0e2088 Public key's random art: +--[ EC 256]----+ |o .o. | |E . . . | | . . . o. . | | . = o o | | . B oS + | | . o =+o= . | | . oo . | | . . | | oo.++ | +-----------------+ - Certificate[1] info: - subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2017-05-22 11:32:37 UTC', expires `2018-12-31 23:59:59 UTC', SHA-1 fingerprint `a6120fc0b4664fad0b3b6ffd5f7a33e561ddb87d' - Certificate[2] info: - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3' - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** Verifying server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. (Note that the gnutls-cli binary in trusty’s gnutls-bin package comes from gnutls26, which seems to have already received the necessary updates, although it requires the ‘--x509cafile /etc/ssl/certs/ca- certificates.crt’ option.) [Regression Potential] Most GnuTLS-dependent packages in trusty use gnutls26 rather than gnutls28, so potential regressions, if any, would likely manifest in self-compiled binaries and PPA packages that were specifically compiled against gnutls28. (I noticed this bug in the first place because vlc from ppa:jonathonf/vlc became unable to play YouTube videos.) ** Affects: gnutls28 (Ubuntu) Importance: Undecided Status: New ** Tags: patch trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722411 Title: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
