[precise] Too few certificate authorities listed after upgrade to 12.04

Bug #911592 reported by Jamie Strandboge on 2012-01-04
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
evolution (Ubuntu)
High
Unassigned
Precise
High
Unassigned
nss (Ubuntu)
High
Unassigned
Precise
High
Unassigned

Bug Description

After upgrading to precise, when I try to send an email with evolution, I am presented with:
SSL Certificate check for smtp.canonical.com:

Issuer: CN=Thawte DV SSL CA,OU=Domain Validated SSL,O="Thawte, Inc.",C=US
Subject: CN=smtp.canonical.com,OU=Domain Validated,OU=Thawte SSL123 certificate,OU=Go to https://www.thawte.com/repository/index.html,O=smtp.canonical.com
Fingerprint: a2:ee:86:1c:94:4e:74:86:2c:24:2f:0e:6e:cc:cd:db
Signature: BAD

Do you wish to accept? Yes|No

I verified the certificate is valid using gnutls:
 * gnutls-cli -s --print-cert --x509cafile /etc/ssl/certs/ -p 587 smtp.canonical.com
 * > ehlo test
 * > starttls
 * in another terminal do 'kill -s SIGALRM <pid og gnutls-cli>'

Remembering that evolution uses nss, I then went to Edit/Preferences/Certificates/Authorities and discovered that many certificate autorities are missing from the list, including Thawte's Root CAs. I verified that Oneiric had the certificate authority, and it did along with many more. I am not sure if the bug is with nss or with evolution, but evolution in 12.04 is not seeing all the certificates it used to see in 11.10.

Marking this as High priority and checking the security box as this prevents proper certificate verification.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libnss3 3.13.1.with.ckbi.1.88-1ubuntu2
ProcVersionSignature: Ubuntu 3.2.0-7.13-generic 3.2.0-rc7
Uname: Linux 3.2.0-7-generic x86_64
ApportVersion: 1.90-0ubuntu1
Architecture: amd64
Date: Tue Jan 3 21:34:09 2012
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110425.2)
SourcePackage: nss
UpgradeStatus: Upgraded to precise on 2012-01-02 (1 days ago)

Jamie Strandboge (jdstrand) wrote :
visibility: private → public
Changed in nss (Ubuntu):
importance: Undecided → High
tags: added: rls-p-tracking
Changed in nss (Ubuntu):
milestone: none → precise-alpha-2
description: updated
Jamie Strandboge (jdstrand) wrote :

I just tested this in a VM, and evolution shows zero certificate authorities.

Jamie Strandboge (jdstrand) wrote :

Unsurprisingly with 0 certificate authorities, said VM is prompted with the same 'Bad signature' dialog when trying to send mail to smtp.canonical.com.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nss (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Added an evolution task as it isn't clear if it is evolution or nss that is the problem.

Changed in evolution (Ubuntu Precise):
status: New → Confirmed
milestone: none → precise-alpha-2
Marc Deslauriers (mdeslaur) wrote :

FYI, I also get the ssl cert dialog when connecting using IMAP.

Changed in evolution (Ubuntu Precise):
importance: Undecided → High

I did get that dialog too.

I must still be missing something but now I got a little farther into looking up the certificates. It seems to be as though evolution is supposed to load built-in certs from NSS from the nssckbi.so file; which comes from /usr/lib/<triplet>/nss. Unfortunately, evolution uses nss's libdir directly to look for nssckbi, so it probably just looks for it in one directory too low (missing "/nss"). Seems like this is probably something that changed in NSS itself, but I'll first verify this with a test patch in evo.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evolution - 3.2.2-0ubuntu3

---------------
evolution (3.2.2-0ubuntu3) precise; urgency=low

  * debian/patches/nss-paths.patch: get evolution to look at the right place
    for nssckbi; to load built-in SSL certs. (LP: #911592)
 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 04 Jan 2012 11:52:56 -0500

Changed in evolution (Ubuntu Precise):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thanks for the fix Mathieu. I can confirm the evolution is working properly again.

Is the change something we need to fix in other places (or centrally in nss) or was it just evolution getting it wrong?

Changed in nss (Ubuntu Precise):
status: Confirmed → Incomplete

As far as I could tell it's just evolution doing it wrong -- we can certainly see firefox and chromium appear to be fine. I couldn't check curl simply (libcurl3-nss uses libnss3). I couldn't see a list of certificate authorities in Pidgin but deleting the certificates and disconnecting/reconnecting I saw them re-added and no pop-up telling me they couldn't be validated. I haven't looked at the other reverse-build-depends of libnss3-dev.

It seemed clear that the way of looking for nssckbi in evolution was "wrong", but I still need to check to be sure if it's debian-specific or general to have a libdir for the actual nss libraries and an extra directory nss/ under that libdir for the "modules" and nssckbi. Maybe there's a better way to fix this, but I can't think of how in nss (unless we were to start shipping an extra variable in nss.pc specifically for nssckbi's path).

In other words, to make this better we could ship an extra var in nss.pc for the nssckbi path, but it looks like it was just evolution affected here; there's more investigation needed to certain whether it's worth it. libdir itself can't really be changed, since it needs to point to the actual location of the nss libraries.

Jamie Strandboge (jdstrand) wrote :

Let's mark this as 'Invalid' in nss for now. If needed, we can reopen. Thanks again Mathieu.

Changed in nss (Ubuntu Precise):
milestone: precise-alpha-2 → none
status: Incomplete → Invalid
Jack Ostroff (ostroffjh) wrote :

[I've tried to post this several times, and it keeps disappearing before I can commit. Apologies if it appears more than once.]

I seem to be having the same problem with Evolution 3.2.2-0ubuntu0.1 and libnss3 3.14.1-0ckbi1.93ubuntu.0.11.10.1 under Ubuntu 11.10. I'm not yet ready to upgrade to precise, so I'm wondering if there is any way to backport the fix.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers