Debian Bug report logs - #683403
ca-certificates: Missing Verisign md2 certs due to broken extract script

version graph

Package: ca-certificates; Maintainer for ca-certificates is Michael Shuler <michael@pbandjelly.org>; Source for ca-certificates is src:ca-certificates.

Reported by: Marc Deslauriers <marc.deslauriers@ubuntu.com>

Date: Tue, 31 Jul 2012 14:12:02 UTC

Severity: normal

Tags: patch

Found in versions ca-certificates/20111211, ca-certificates/20130906

Fixed in version ca-certificates/20140223

Done: Michael Shuler <michael@pbandjelly.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org>:
Bug#683403; Package ca-certificates. (Tue, 31 Jul 2012 14:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Michael Shuler <michael@pbandjelly.org>. (Tue, 31 Jul 2012 14:12:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ca-certificates: Missing Verisign md2 certs due to broken extract script
Date: Tue, 31 Jul 2012 10:10:32 -0400
Package: ca-certificates
Version: 20111211
Severity: normal

Verisign shipped G1 PCA Roots with md2 signatures on them. At some point,
they resigned those roots using SHA1, but requested that the original certs
keep shipping in Mozilla's cert list as they had issued intermediates with
AKIs that point to the MD2 versions.

See discussion here:
https://groups.google.com/forum/?fromgroups#!msg/mozilla.dev.security.policy/I6bUbW3WkBU/lRxqGv6vYHYJ

Now, ca-certificates uses a script called "certdata2pem.py" to extract the
certificates from the certdata.txt file provided by Mozilla into individual
files. Unfortunately, the script names the certificate file using the
CKA_LABEL. In two instances, the verisign md2 and sha1 certs have the same
CKA_LABEL, so the script is overwriting the first one (md2) with the second
one (sha1).

This results in the Verisign md2 certs being missing from the system ca certs.
This usually isn't a problem except in the case where a website is handing
out a complete cert chain, including the md2 root cert. When that happens,
webkit is unable to verify the md2 root cert, and the connection fails.

See reproducer in downstream bug report here:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1031333



Information forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org>:
Bug#683403; Package ca-certificates. (Wed, 01 Aug 2012 14:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@canonical.com>:
Extra info received and forwarded to list. Copy sent to Michael Shuler <michael@pbandjelly.org>. (Wed, 01 Aug 2012 14:39:05 GMT) Full text and rfc822 format available.

Message #10 received at 683403@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: 683403@bugs.debian.org
Date: Wed, 01 Aug 2012 10:37:08 -0400
OK, I am now convinced that we don't need the md2 certs, applications
should be able to validate using the sha1 certs. I believe a bug in
libsoup/glib-networking is causing the sha1 certs to not be used.

We still should improve ca-certificates to make _sure_ that we're
shipping the sha1 certs instead of the md2 certs, as it currently ships
the sha1 certs by coincidence as they are listed later in Mozilla's
file. If they ever change the order of their file, we'll be shipping the
md2 ones by mistake.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#683403; Package ca-certificates. (Wed, 01 Aug 2012 16:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Shuler <michael@pbandjelly.org>:
Extra info received and forwarded to list. (Wed, 01 Aug 2012 16:27:05 GMT) Full text and rfc822 format available.

Message #15 received at 683403@bugs.debian.org (full text, mbox):

From: Michael Shuler <michael@pbandjelly.org>
To: 683403@bugs.debian.org
Subject: Re: Bug#683403:
Date: Wed, 01 Aug 2012 11:24:25 -0500
On 08/01/2012 09:37 AM, Marc Deslauriers wrote:
> OK, I am now convinced that we don't need the md2 certs, applications
> should be able to validate using the sha1 certs. I believe a bug in
> libsoup/glib-networking is causing the sha1 certs to not be used.

Thanks for the clarification.

> We still should improve ca-certificates to make _sure_ that we're
> shipping the sha1 certs instead of the md2 certs, as it currently ships
> the sha1 certs by coincidence as they are listed later in Mozilla's
> file. If they ever change the order of their file, we'll be shipping the
> md2 ones by mistake.

We strive to properly ship each trusted CA in the mozilla certdata.txt,
so I agree and will work on correcting this.  Thanks for the report :)

-- 
Kind regards,
Michael Shuler




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Shuler <michael@pbandjelly.org>:
Bug#683403; Package ca-certificates. (Thu, 05 Dec 2013 13:21:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Michael Shuler <michael@pbandjelly.org>. (Thu, 05 Dec 2013 13:21:15 GMT) Full text and rfc822 format available.

Message #20 received at 683403@bugs.debian.org (full text, mbox):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
To: Debian Bug Tracking System <683403@bugs.debian.org>
Subject: Re: ca-certificates: Missing Verisign md2 certs due to broken extract script
Date: Thu, 05 Dec 2013 08:16:43 -0500
[Message part 1 (text/plain, inline)]
Package: ca-certificates
Version: 20130906
Followup-For: Bug #683403
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu trusty ubuntu-patch



*** /tmp/tmpG_KsCC/bug_body

Openssl doesn't appear to correctly handle not having both versions
of the same signed roots. I have decided that we need to ship both
versions to fix a long standing bug where some websites simply weren't
accessible.

In Ubuntu, the attached patch was applied to achieve the following:

  * mozilla/certdata2pem.py: Work around openssl issue by shipping both
    versions of the same signed roots. Previously, the script would simply
    overwrite the first one found in the certdata.txt with the later one
    since they both have the same CKA_LABEL, resulting in identical
    filenames. (LP: #1014640)


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers saucy-updates
  APT policy: (500, 'saucy-updates'), (500, 'saucy-security'), (500, 'saucy-proposed'), (500, 'saucy'), (100, 'saucy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11.0-15-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[ca-certificates_20130906ubuntu1.debdiff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Michael Shuler <michael@pbandjelly.org> to control@bugs.debian.org. (Fri, 06 Dec 2013 18:15:09 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Michael Shuler <michael@pbandjelly.org> to control@bugs.debian.org. (Sun, 23 Feb 2014 23:39:15 GMT) Full text and rfc822 format available.

Reply sent to Michael Shuler <michael@pbandjelly.org>:
You have taken responsibility. (Thu, 13 Mar 2014 13:06:09 GMT) Full text and rfc822 format available.

Notification sent to Marc Deslauriers <marc.deslauriers@ubuntu.com>:
Bug acknowledged by developer. (Thu, 13 Mar 2014 13:06:09 GMT) Full text and rfc822 format available.

Message #29 received at 683403-close@bugs.debian.org (full text, mbox):

From: Michael Shuler <michael@pbandjelly.org>
To: 683403-close@bugs.debian.org
Subject: Bug#683403: fixed in ca-certificates 20140223
Date: Thu, 13 Mar 2014 13:03:23 +0000
Source: ca-certificates
Source-Version: 20140223

We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683403@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Shuler <michael@pbandjelly.org> (supplier of updated ca-certificates package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 23 Feb 2014 23:22:29 -0600
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20140223
Distribution: unstable
Urgency: medium
Maintainer: Michael Shuler <michael@pbandjelly.org>
Changed-By: Michael Shuler <michael@pbandjelly.org>
Description: 
 ca-certificates - Common CA certificates
Closes: 635570 683403 718434 727136
Changes: 
 ca-certificates (20140223) unstable; urgency=medium
 .
   * No longer ship cacert.org certificates.  Closes: #718434, LP: #1258286
   * Fix certdata2pem.py for multiple CAs using the same CKA_LABEL.  Thanks
     to Marc Deslauriers for the patch.  Closes: #683403, LP: #1031333
   * Sort local CA certificates on update-ca-certificates runs.  Thanks to
     Vaclav Ovsik for the suggestion and patch.  Closes: #727136
   * Add trailing newline to certificate, if it is missing.  Closes: #635570
   * Update mozilla/certdata.txt to version 1.97.
     Certificates added (+), removed (-), and renamed (~):
     + "ACCVRAIZ1"
     + "Atos TrustedRoot 2011"
     + "E-Tugra Certification Authority"
     + "SG TRUST SERVICES RACINE"
     + "T-TeleSec GlobalRoot Class 2"
     + "TWCA Global Root CA"
     + "TeliaSonera Root CA v1"
     + "Verisign Class 3 Public Primary Certification Authority"
     ~ "Verisign Class 3 Public Primary Certification Authority"_2
       (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
     - "Entrust.net Secure Server CA"
     - "Firmaprofesional Root CA"
     - "GTE CyberTrust Global Root"
     - "RSA Root Certificate 1"
     - "TDC OCES Root CA"
     - "ValiCert Class 1 VA"
     - "ValiCert Class 2 VA"
     - "Wells Fargo Root CA"
Checksums-Sha1: 
 5c16595be2d53faae390f91d8e46b292f100b2b8 1420 ca-certificates_20140223.dsc
 ad57a45f0422fafd78a2e8191e5204f2306cc91b 274768 ca-certificates_20140223.tar.xz
 be6a0d32c76ae4adaafc04aefb56bb00b5cc72ed 190226 ca-certificates_20140223_all.deb
Checksums-Sha256: 
 d3be3f9ecba77f7feb176cbc1fb1df2ad320b29368b53a3d9d9f70a0713d5ce3 1420 ca-certificates_20140223.dsc
 815b7cd97200b0d76450bb3e7d9b65997ac494ab6467b17369f65b2ef94bcb0c 274768 ca-certificates_20140223.tar.xz
 13cb11144a97d95a8be130e4bcdd6c9ffc3df269bb194699bcd21ca377e01df2 190226 ca-certificates_20140223_all.deb
Files: 
 fcf461554a554420e0359d7810269cc0 1420 misc optional ca-certificates_20140223.dsc
 ff4049c32342ea450cda82bb14026ffd 274768 misc optional ca-certificates_20140223.tar.xz
 555a2965e08517f0ef84a8810016f75b 190226 misc optional ca-certificates_20140223_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTIap0AAoJEFb2GnlAHawE+kAH/1QGWMJV89sAmclrYeeyDKvl
9PnaATmhoVow3yL+Qg/CBKUZeahlXrBdQt7QsItn6whH2NOQUiWbsprzImZdT3xo
GOHSWRBbjosmz1Uco1Iw2abdUIfPDnWvQEEo5oHnHg38s/3wcI/ADDTXkuf69PNT
joGdyBYsJyAH/ltw6WiwiKO0nYwAQv006d/Q9jn8rqOB0MIwx4EUR+Z/qtZRk++n
Xob/g6EsoqbKgB0MH4kqnhn1ZSKBQviTZOlhfkoe2KWfJZCpOmTmDYXdZb7Kh3TC
2nw+FC9ees/ccdwDrnGnif+Mp3CPGrXjbvDvH1kX04nFrP0fI86ClnNlE1VAnoQ=
=VLPi
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 16 Apr 2014 07:25:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 17:02:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.