Missing Verisign certs due to broken extract script

Here is a small reproducer that shows the issue with a website that needs the md2 Verisign cert.

I think it would be irresponsible to provide MD2-signed certificates. The discussion is dated 2009. I think ca-certificates should provide neither MD2 nor MD5 root certificates. And MD2 verification should be unsupported in the crypto lib anyway (see CVE-2009-2409).

These are _root_ certs, the crypto library doesn't verify the signatures on root certs, since they are self-signed.

If we really don't want to ship md2 root certs, we need to make sure ca-certificates deliberately disables them, instead of overwriting them by coincidence just because they are listed first in Mozilla's cert file.

In theory, the sha1 cert should be sufficient, and earlier versions of libsoup accepted that one without an issue. I'm currently investigating whether this is a regression in libsoup or not.

OK, I am now convinced that we don't need the md2 certs, applications
should be able to validate using the sha1 certs. I believe a bug in
libsoup/glib-networking is causing the sha1 certs to not be used.

We still should improve ca-certificates to make _sure_ that we're
shipping the sha1 certs instead of the md2 certs, as it currently ships
the sha1 certs by coincidence as they are listed later in Mozilla's
file. If they ever change the order of their file, we'll be shipping the
md2 ones by mistake.

I looked a bit at the gio code this morning and it appears the problem with the site in question is that gtlsdatabase-gnutls.c:build_certificate_chain does not find a "anchor" and therefore passes NULL as the anchors to gnutls_x509_crt_list_verify() which always fails with " *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;" in lib/x509/verify.c:_gnutls_verify_certificate2. The cli version of gnutls seems to simply pass the list of all trusted CAs to gnutls_x509_crt_list_verify() instead of trying to find the right trusted CA itself (which looks like a more sensible approach to me).

It seems like the problem is the following:

GNUTLS:
- gnutls passes all certificates in /etc/ssl/certs/ca-certificates.crt
- the server secure-test.streamline-esolutions.com returns a certificate that is signed with the Verisign_Class_3_Public_Primary_Certification_Authority.pem certificate with the fingerprint "openssl x509 -in Verisign_Class_3_Public_Primary_Certification_Authority.pem -noout -fingerprint
SHA1 Fingerprint=A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B"
- the server does *not* return this certificate though, it returns a weaker md2 certificate
- the "A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B"" certificate is part of the trusted certs so gnutls is happy

GIO:
- gio-network is looking at each of the certificates in the certification chain retuned by the server
- it will *not* load all certificates from /etc/ssl/certs/ca-certificates.crt for verification, but *only* those that are also returned by the server as part of the verification chain
- the server only returns the weak md2 ceritificate and not the stronger A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B certificate
- gio can not find the md2 certificate as we do not ship that
- gio fails with a error as it does not find root certificate from the server that is also in the local /etc/ssl/certs/ca-certificates.crt

This indicates server misconfiguration IMO plus a it seems that gio is overly restrictive here. It could simply pass all data to gnutls for the verification.

I've opened LP: #1033516 for the bug that glib-networking (and libsoup >= 2.37) won't validate properly using the sha1 cert.

Fwiw, when inspecting the site with mozilla and chromeium I see the md2 cert in the root of the chain.

And openssl returns:
$ openssl s_client -connect secure-test.streamline-esolutions.com:443 ; openssl s_client -connect secure-test.streamline-esolutions.com
    Verify return code: 19 (self signed certificate in certificate chain)

Which makes me wonder if adding the md2 certs back is not the right option as that is apparently what mozilla and chrome(ium) are doing. Plus openssl fails.

Technically I think (but I have to admit a certain ignorance about the standard) the verification chain is invalid because the server sends that the certificate issuer of the cert in the middle is the md2 cert. It just happens that gnutls implements the verification by trying to find a issuer from the list of trusted certificates and does not rely on the issuer set in the cert itself.

mozilla and Chromium still have the md2 cert, because VeriSign had issued intermediates with AKIs that point to the
MD2 versions. I'm not sure there are any left though.

If you remove the md2 cert from firefox, and restart it, it will still validate the site correctly.

You need to tell openssl where the CA cert bundle is:

openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect secure-test.streamline-esolutions.com:443

Doing that results in a successful verification, even though the md2 cert isn't in the system CA bundle:
Verify return code: 0 (ok)

Thanks Marc, indeed you are right :)

> I'm not sure there are any left though.

There are. As of today 5/11/2013, Verisign's md2 certificate *is* still in use,
i.e., still being sent out as part of the cert chain at actual sites,
see e.g., pip.verisignlabs.com -- which is Verisign/Symantec's openid provider
and thus may be particularly widely used.

and causing connections to fail. My own particular trouble is with Perl's IO::Socket::SSL but
openssl fails as well, even with the certificate path/file explicitly specified:

openssl s_client -showcerts -tls1 -CApath /etc/ssl/certs -connect pip.verisignlabs.com:443 </dev/null
openssl s_client -showcerts -tls1 -CAfile /etc/ssl/certs/ca-certificates.crt -connect pip.verisignlabs.com:443 </dev/null

both result in

    Verify return code: 20 (unable to get local issuer certificate)

Adding in the md2 certificate as a locally trusted certificate fixed things.
This being on a fresh upgrade of Debian 7.0 (wheezy) ca-certficates version 20130119

Also, there's another certificate from "Startcom Certification Authority" that's in a similar boat
 i.e., two versions -- SHA1 and SHA256 --- of the same certificate in the Mozilla bundle, identically named

According to openssl's "verify" manpage, verification is SUPPOSED to fail in situations like these

       The lookup first looks in the list of untrusted certificates and if no match is found the remaining lookups are from the
       trusted certificates.

from which I infer that if a match IS found in the supplied chain then there won't BE a lookup in the certificate store and the actual bona fide issuer for Verisign's "G5" subject (the root certificate self-signed by "G5") will never actually be found. I.e., there's no way to know a priori that the supposedly intermediate "G5" actually *is* backed by a known root certificate unless we're going to look up *every* certificate we get in the root store.

So I don't see how this can be an openssl bug unless openssl is interpreting the spec wrong (and I have no idea about that other than that it seems silly to require looking up every certificate received in the root store on the off-chance that it might be a root and the remote server maintainer who is the primary user of the certificate somehow didn't realize it...)

... which would then mean there needs to be a way to include the m2 certificate in the root store somehow

This bug was fixed in the package ca-certificates - 20130906ubuntu0.13.10.1

---------------
ca-certificates (20130906ubuntu0.13.10.1) saucy-security; urgency=medium

  * Update ca-certificates database to 20130906 (LP: #1257265):
    - backport changes from the Ubuntu 14.04 20130906ubuntu1 package
    - No longer ship cacert.org certificates (LP: #1258286)
    - mozilla/certdata2pem.py: Work around openssl issue by shipping both
      versions of the same signed roots. Previously, the script would
      simply overwrite the first one found in the certdata.txt with the
      later one since they both have the same CKA_LABEL, resulting in
      identical filenames. (LP: #1014640, LP: #1031333)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 17:04:56 -0500

This bug was fixed in the package ca-certificates - 20130906ubuntu0.12.04.1

---------------
ca-certificates (20130906ubuntu0.12.04.1) precise-security; urgency=medium

  * Update ca-certificates database to 20130906 (LP: #1257265):
    - backport changes from the Ubuntu 14.04 20130906ubuntu1 package
    - No longer ship cacert.org certificates (LP: #1258286)
    - No longer ship obsolete debconf.org certificates
    - mozilla/certdata2pem.py: Work around openssl issue by shipping both
      versions of the same signed roots. Previously, the script would
      simply overwrite the first one found in the certdata.txt with the
      later one since they both have the same CKA_LABEL, resulting in
      identical filenames. (LP: #1014640, LP: #1031333)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 17:39:43 -0500

This bug was fixed in the package ca-certificates - 20130906ubuntu0.10.04.1

---------------
ca-certificates (20130906ubuntu0.10.04.1) lucid-security; urgency=medium

  * Update ca-certificates database to 20130906 (LP: #1257265, LP: #1271357):
    - backport changes from the Ubuntu 14.04 20130906ubuntu1 package
    - No longer ship cacert.org certificates (LP: #1258286)
    - No longer ship obsolete debconf.org certificates
    - No longer ship expired brasil.gov.br certificates
    - No longer ship expired signet.pl certificates
    - No longer ship gouv.fr certificates, now part of mozilla bundle
    - No longer ship telesec.de certificates, now part of mozilla bundle
    - mozilla/certdata2pem.py: Work around openssl issue by shipping both
      versions of the same signed roots. Previously, the script would
      simply overwrite the first one found in the certdata.txt with the
      later one since they both have the same CKA_LABEL, resulting in
      identical filenames. (LP: #1014640, LP: #1031333)
 -- Marc Deslauriers <email address hidden> Fri, 07 Feb 2014 13:58:53 -0500