Comment 0 for bug 305264

Andreas Hasenack (ahasenack) wrote :

I noticed recently that landscape-client could no longer contact our staging server. Fortunately, contacting the production server is still ok.

This command is an easy way to reproduce the problem. It is failing against staging.landscape.canonical.com:

gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt staging.landscape.canonical.com

I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get an update.

I concentrated the rest of my tests in dapper.

With libgnutls12_1.2.9-2ubuntu1_i386.deb it works.
With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks.

Here is the chain as seen by gnutls against staging.landscape.canonical.com:
[0]
Subject's DN: O=*.landscape.canonical.com,OU=Domain Control Validated,CN=*.landscape.canonical.com
Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287

[1]
Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority

[2]
Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,<email address hidden>

[3]
Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,<email address hidden>
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,<email address hidden>

Notice that the last certificate in the chain is the CA certificate, which is self signed. I wonder if the recent security fix broke that:
    - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
      if it is self-signed in lib/x509/verify.c

Here is openssl's chain against the same site (staging):
Certificate chain
 0 s:/O=*.landscape.canonical.com/OU=Domain Control Validated/CN=*.landscape.canonical.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>

Openssl's s_client tool works, btw.