Ubuntu
gnutls26 package

lynx https requests reports self-signed ssl certificate in error

Bug #1297986 reported by Robert Osborne
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls26 (Debian)
Fix Released
Unknown
gnutls26 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

After the update in Precise to ca-certificates 20130906ubuntu0.12.04.1, lynx now falsely identifies the SSL certificates as self-signed.

I have verified this by attempting the following before and after a downgrade to ca-certificates=20111211

lynx https://www.cmw.osfc.state.oh.us
lynx https://prodapp.osfc.state.oh.us

On both sites, the current ca-certificates 20130906ubuntu0.12.04.1 fails to identify a valid certificate and instead reports as unsigned. After apt-get install ca-certificates=20111211 (a DOWNGRADE) the Precise system returned to proper working order.

Description: Ubuntu 12.04.4 LTS
Release: 12.04

Revision history for this message
Robert Osborne (rj-osborne-5) wrote :

The exact message from lynx is:
SSL error:self signed certificate-Continue? (y)

Revision history for this message
Michael Shuler (mshuler) wrote :

http://packages.qa.debian.org/c/ca-certificates/news/20140326T133329Z.html

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks like the "Entrust.net_Premium_2048_Secure_Server_CA.crt" certificate got changed somewhere between 20111211 and 20130906:

20111211:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 946059622 (0x3863b966)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
        Validity
            Not Before: Dec 24 17:50:51 1999 GMT
            Not After : Dec 24 18:20:51 2019 GMT
        Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)

20130906:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 946069240 (0x3863def8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
        Validity
            Not Before: Dec 24 17:50:51 1999 GMT
            Not After : Jul 24 14:15:12 2029 GMT
        Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The server does appear to send a cert in the chain to bridge the two different "Entrust.net Certification Authority (2048)" certs, but I'm guessing gnutls doesn't like it because it's out of order or something.

affects: ca-certificates (Ubuntu) → gnutls26 (Ubuntu)
Marc Deslauriers (mdeslaur)
Changed in gnutls26 (Ubuntu):
status: New → Confirmed
Revision history for this message
Michael Shuler (mshuler) wrote :

Sorry, I saw Entrust and didn't follow the cert chain.

Revision history for this message
Michael Shuler (mshuler) wrote :

https://bugzilla.mozilla.org/show_bug.cgi?id=694536
https://bugzilla.mozilla.org/show_bug.cgi?id=856678

Those were the relevant cert replacement bugs - they extended the expiry by 10 years.

Bug Watch Updater (bug-watch-updater)
Changed in gnutls26 (Debian):
status: Unknown → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in gnutls26 (Debian):
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.