Ubuntu
gnutls26 package

Regression in trusty's gnutls26, can't connect to servers with RSA-MD5 certs (cacert)

Bug #1553819 reported by dx
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls26 (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Ubuntu version: 14.04

Affected package versions:
- 2.12.23-12ubuntu2.4
- 2.12.23-12ubuntu2.5

Unaffected package versions:
- 2.12.23-12ubuntu2.3 and older

Description:

When trying to connect to servers that have a RSA-MD5 signature in their certificate chain, gnutls26 fails to connect with "The signature algorithm is not supported."

The root certificate of cacert uses RSA-MD5, so this can be reproduced by trying to connect to any server that uses their certs

Downgrading to 2.12.23-12ubuntu2.3 workarounds the issue.

This error originally appeared when trying to connect to jabber.ccc.de from bitlbee 3.2.1+otr4-1ubuntu0.2.

gnutls28 is unaffected - The user who reported the issue moved to the bitlbee nightly build apt repo, which compiles against gnutls28 instead of 26, and that "fixed" the issue.

OpenSSL has no issues connecting either.

Actual behavior (with 2.12.23-12ubuntu2.4):

$ gnutls-cli cacert.org
Resolving 'cacert.org'...
Connecting to '213.154.225.245:443'...
*** Non fatal error: A TLS warning alert has been received.
*** Received alert [112]: The server name sent was not recognized
*** Fatal error: The signature algorithm is not supported.
*** Handshake has failed
GnuTLS error: The signature algorithm is not supported.

Expected behavior (with 2.12.23-12ubuntu2.3):

$ gnutls-cli cacert.org
Resolving 'cacert.org'...
Connecting to '213.154.225.245:443'...
*** Non fatal error: A TLS warning alert has been received.
*** Received alert [112]: The server name sent was not recognized
- Ephemeral Diffie-Hellman parameters
 - Using prime: 2048 bits
 - Secret key: 2047 bits
 - Peer's public key: 2046 bits
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
  - subject `C=AU,ST=NSW,L=Sydney,O=CAcert Inc.,CN=www.cacert.org', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,<email address hidden>', RSA key 2048 bits, signed using RSA-SHA512, activated `2014-04-28 20:57:55 UTC', expires `2016-04-27 20:57:55 UTC', SHA-1 fingerprint `bea40d514ab303db57fa1598efdc02c9b519a910'
 - Certificate[1] info:
  - subject `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,<email address hidden>', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,<email address hidden>', RSA key 4096 bits, signed using RSA-MD5 (broken!), activated `2003-03-30 12:29:49 UTC', expires `2033-03-29 12:29:49 UTC', SHA-1 fingerprint `135cec36f49cb8e93b1ab270cd80884676ce8f33'
- The hostname in the certificate matches 'cacert.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA256
- Compression: NULL
- Handshake was completed

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The point of the USN-2865-1 security update was to remove support for RSA-MD5 certificates which are considered insecure and were previously accepted in GnuTLS because of a design flaw.

See the following for more information:

http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html
http://www.ubuntu.com/usn/usn-2865-1/

Please also see the following cacert.org announcement:

http://blog.cacert.org/2015/12/re-signing-root-certificate/

Changed in gnutls26 (Ubuntu):
status: New → Won't Fix
Revision history for this message
dx (dx) wrote :

Wouldn't that mean that gnutls28 and openssl are vulnerable, then?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.