Ubuntu Push Notifications

tls in ubuntu-push client doesn't support certs with 384/512 signatures...

Bug #1434556 reported by Samuele Pedroni on 2015-03-20

This bug affects 4 people

	Status	Importance	Assigned to	Milestone
Canonical System Image	Invalid	High	Bret Barker	Canonical System Image ww17-2015
Ubuntu Push Notifications	Invalid	High	Unassigned
account-polld (Ubuntu)	Invalid	Undecided	Unassigned
ubuntu-push (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

we noticed this when webops tried to replace the push.ubuntu.com certificates, for now they reverted the cert and are looking into getting us new shorter bits cert for a while;

see

http://bridge.grumpy-troll.org/2014/05/golang-tls-comodo/

we need to sprinkle import _ "crypto/sha512" around

See original description

Related branches

lp:~pedronis/ubuntu-push/supp-sha384-512-certs

Merged into lp:ubuntu-push/automatic at revision 395

Guillermo Gonzalez: Approve on 2015-04-16

Samuele Pedroni (pedronis) on 2015-03-20

summary:	- tls in ubuntu-push client doesn't support certs with 385/512 + tls in ubuntu-push client doesn't support certs with 384/512 signatures...
description:	updated

Bret Barker (noise) on 2015-03-20

Changed in ubuntu-push:
importance:	Undecided → High

Revision history for this message

Pat McGowan (pat-mcgowan) wrote on 2015-03-20:

For now the server cert was reverted, need a permanent solution

Changed in canonical-devices-system-image:
importance:	Undecided → High
milestone:	none → ww13-2015
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-03-25:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in account-polld (Ubuntu):
status:	New → Confirmed
Changed in ubuntu-push (Ubuntu):
status:	New → Confirmed

Pat McGowan (pat-mcgowan) on 2015-04-13

Changed in canonical-devices-system-image:
assignee:	nobody → Bret Barker (noise)
milestone:	ww13-2015 → ww17-2015

Revision history for this message

Joey Stanford (joey) wrote on 2015-04-13:

fwiw, we've had to stop issuing SHA-512 certs for fear that it will affect users. We do have some 512s that are out there yet. I'd like to resume issuing 512s instead of 256 as soon as you believe the fix has been populated out to the user base. At that time we'll start to re-issue our 256s as 512s when they expire.

Our normal process is to choose a security stance that allows for the widest amount of access using protocols that are still considered secure. In this specific case, the algorithms to support 512 are (usually) part of the 256 set but yet provide a slightly better security posture and have slightly better hashing performance over 256. SHA-2 has been out since 2001 and I believe it's penetration is sufficient at this point for us to legitimately use it without any ill effects.

Samuele Pedroni (pedronis) on 2015-04-15

Changed in ubuntu-push:
status:	Triaged → In Progress

Samuele Pedroni (pedronis) on 2015-04-16

Changed in account-polld (Ubuntu):
status:	Confirmed → In Progress

Samuele Pedroni (pedronis) on 2015-04-16

Changed in ubuntu-push (Ubuntu):
status:	Confirmed → In Progress

Revision history for this message

Samuele Pedroni (pedronis) wrote on 2015-04-16:

this doesn't affect vivid because account-polld and ubuntu-push-client are compiled with go 1.3.3 there so this go upstream change applies:

https://github.com/golang/go/commit/b53bb2cae512ce4abb

Revision history for this message

Pat McGowan (pat-mcgowan) wrote on 2015-04-17:

marking invalid since vivid sync will fix it and no need to backport anything

Changed in canonical-devices-system-image:
status:	Confirmed → Invalid

Samuele Pedroni (pedronis) on 2015-06-25

Changed in ubuntu-push:
status:	In Progress → Invalid
Changed in account-polld (Ubuntu):
status:	In Progress → Invalid
Changed in ubuntu-push (Ubuntu):
status:	In Progress → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.