In Ubuntu, the Verisign md2 certs do not ship in the system CA certs bundle, as
the sha1 certs are being shipped instead. SSL libraries are supposed to verify
certs with the sha1 G1 PCA Root just fine, even if the web site sends the md2
G1 PCA Root as part of the cert bundle.
In older versions of libsoup, such as 2.36.1, this worked fine. Since libsoup
2.37.1, this is no longer working correctly. It seems glib-networking
gtlsfiledatabase-gnutls.c:g_tls_file_database_gnutls_lookup_assertion() is
attempting to validate the whole DER, which wouldn't properly accept the sha1
cert for validation.
Attached is a reproducer. It will first attempt to validate the web site cert
using the old md2 Root, and then will attempt with the sha1 Root. Both should
succeed. With libsoup > 2.37, the sha1 Root fails verification.
Verisign shipped G1 PCA Roots with md2 signatures on them. At some point, they
resigned those same roots using SHA1.
See discussion here: /groups. google. com/forum/ ?fromgroups# !msg/mozilla. dev.security. policy/ I6bUbW3WkBU/ lRxqGv6vYHYJ
https:/
In Ubuntu, the Verisign md2 certs do not ship in the system CA certs bundle, as
the sha1 certs are being shipped instead. SSL libraries are supposed to verify
certs with the sha1 G1 PCA Root just fine, even if the web site sends the md2
G1 PCA Root as part of the cert bundle.
You can test this by using the following command:
gnutls-cli --x509cafile /etc/ssl/ certs/ca- certificates. crt --print-cert -p 443 test.streamline -esolutions. com
secure-
In older versions of libsoup, such as 2.36.1, this worked fine. Since libsoup e-gnutls. c:g_tls_ file_database_ gnutls_ lookup_ assertion( ) is
2.37.1, this is no longer working correctly. It seems glib-networking
gtlsfiledatabas
attempting to validate the whole DER, which wouldn't properly accept the sha1
cert for validation.
Attached is a reproducer. It will first attempt to validate the web site cert
using the old md2 Root, and then will attempt with the sha1 Root. Both should
succeed. With libsoup > 2.37, the sha1 Root fails verification.