Key usage violation in certificate has been detected

Bug #1207123 reported by Adam Stokes on 2013-08-01
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls26 (Ubuntu)
Undecided
Unassigned
Precise
Medium
Brian Murray
Quantal
Medium
Brian Murray

Bug Description

[Impact]
A certificate issued to allow _only_ a certain ciphersuite (e.g. RSA) gnutls will fail with a key usage violation unless the server explicitly disables all other ciphersuites.

[Test Case]
+ On a 12.04 system install a valid certificate supporting only RSA
+ Configure an ssl enabled website via apache2 using the above certificate
+ Run gnutls-cli <hostname>

[Regression Potential]
The fix for this was pulled from 13.04 and so far no major bugs have been filed relating to this specific issue.

[Additional]
As stated above the attached debdiff(s) for quantal and precise were pulled from 13.04 where the code just ignores this violation and moves on. I don't know of a better way to handle this and perhaps someone with more knowledge around gnutls could provide more insight.

Changed in gnutls26 (Ubuntu):
status: New → Fix Released
Changed in gnutls26 (Ubuntu Precise):
assignee: nobody → Brian Murray (brian-murray)
Changed in gnutls26 (Ubuntu Quantal):
assignee: nobody → Brian Murray (brian-murray)
Brian Murray (brian-murray) wrote :

Here is a link to the upstream commit:

https://gitorious.org/gnutls/gnutls/commit/dbc72ae47b16c6718cb5e53d4a31205bc45d3742/diffs

and a bit from the NEWS file:

** libgnutls: Always tolerate key usage violation errors from the side of the peer, but also notify via an audit message.

Changed in gnutls26 (Ubuntu Precise):
importance: Undecided → Medium
Changed in gnutls26 (Ubuntu Quantal):
importance: Undecided → Medium
Changed in gnutls26 (Ubuntu Precise):
status: New → Triaged
Changed in gnutls26 (Ubuntu Quantal):
status: New → Triaged

Hello Adam, or anyone else affected,

Accepted gnutls26 into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu4.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls26 (Ubuntu Quantal):
status: Triaged → Fix Committed
tags: added: verification-needed
Brian Murray (brian-murray) wrote :

Hello Adam, or anyone else affected,

Accepted gnutls26 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls26 (Ubuntu Precise):
status: Triaged → Fix Committed
Jonathan Davies (jpds) wrote :

Update looks good to me, my SSL server works on 12.04.

tags: added: verification-done
removed: verification-needed
tags: added: verification-done-precise verification-needed
removed: verification-done
Adam Stokes (adam-stokes) wrote :

Jonathan, are you able to test quantal as well?

Jonathan Davies (jpds) wrote :

Spun up a quantal VM in same environment, and tested SRU.

tags: added: verification-done-quantal
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.5

---------------
gnutls26 (2.12.14-5ubuntu3.5) precise-proposed; urgency=low

  * debian/patches/26_ignore_key_usage_violation.patch:
    Prints debug message on key usage violation rather than treating
    the violation as fatal. (LP: #1207123)
 -- Adam Stokes <email address hidden> Mon, 05 Aug 2013 11:57:10 -0400

Changed in gnutls26 (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu4.4

---------------
gnutls26 (2.12.14-5ubuntu4.4) quantal-proposed; urgency=low

  * debian/patches/21_ignore_key_usage_violation.patch:
    Prints debug message on key usage violation rather than treating
    the violation as fatal. (LP: #1207123)
 -- Adam Stokes <email address hidden> Mon, 05 Aug 2013 11:15:19 -0400

Changed in gnutls26 (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers