libgnutls30 OCSP verification bug

Bug #1714506 reported by largeprime
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls28 (Ubuntu)
Fix Released
High
Julian Andres Klode
Zesty
Fix Released
High
Julian Andres Klode

Bug Description

[Impact]

Applications using GnuTLS fails to verify OSCP, especially when ECDSA is involved, which becomes increasingly more popular.

[Test Case]
Run "gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net" - it should succeed (hang once connected, basically), but fails the handshake with certificate validation.

[Regression Potential]
Only OCSP code is affected by the fixes, so something could possibly break there.

[Other Info]
This was fixed in Debian stretch in 3.5.8-5+deb9u3:

https://anonscm.debian.org/cgit/pkg-gnutls/gnutls.git/commit/?h=gnutls28_09_stretch&id=aebb4e1b78758d6395e17a3137f2c67a2fb7a334

description: updated
description: updated
description: updated
Changed in gnutls28 (Ubuntu):
importance: Undecided → High
status: New → Triaged
status: Triaged → In Progress
assignee: nobody → Julian Andres Klode (juliank)
Changed in gnutls28 (Ubuntu Zesty):
importance: Undecided → High
status: New → Triaged
assignee: nobody → Julian Andres Klode (juliank)
Changed in gnutls28 (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Julian Andres Klode (juliank) wrote :

JFTR: xenial is not affected, I assume older versions are not either.

Changed in gnutls28 (Ubuntu Zesty):
status: Triaged → In Progress
Revision history for this message
Julian Andres Klode (juliank) wrote :

Fixes for both artful and zesty are uploaded now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.5.8-6ubuntu3

---------------
gnutls28 (3.5.8-6ubuntu3) artful; urgency=medium

  * Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
    - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
      38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
      gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
      signatures. LP: #1714506
    - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
      upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and
      decryption on aarch64. LP: #1707172

 -- Julian Andres Klode <email address hidden> Sat, 02 Sep 2017 16:12:49 +0200

Changed in gnutls28 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello largeprime, or anyone else affected,

Accepted gnutls28 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnutls28/3.5.6-4ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls28 (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Revision history for this message
Julian Andres Klode (juliank) wrote :
Download full text (6.5 KiB)

Verified on zesty, old version 3.5.6-4ubuntu4.2 failed handshake, 3.5.6-4ubuntu4.3 succeeded:

Script started on Thu 07 Sep 2017 00:45:28 CEST
+ apt-get -q update
[...]
+ apt-get -q -y install gnutls-bin ca-certificates
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  libffi6 libgmp10 libgnutls30 libhogweed4 libidn11 libnettle6 libopts25 libp11-kit0 libssl1.0.0 libtasn1-6 openssl
The following NEW packages will be installed:
  ca-certificates gnutls-bin libffi6 libgmp10 libgnutls30 libhogweed4 libidn11 libnettle6 libopts25 libp11-kit0 libssl1.0.0 libtasn1-6 openssl
0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 3326 kB of archives.
After this operation, 9762 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu zesty/main amd64 libffi6 amd64 3.2.1-6 [17.7 kB]
Get:2 http://archive.ubuntu.com/ubuntu zesty/main amd64 libgmp10 amd64 2:6.1.2+dfsg-1 [240 kB]
Get:3 http://archive.ubuntu.com/ubuntu zesty/main amd64 libnettle6 amd64 3.3-1 [92.4 kB]
Get:4 http://archive.ubuntu.com/ubuntu zesty/main amd64 libhogweed4 amd64 3.3-1 [135 kB]
Get:5 http://archive.ubuntu.com/ubuntu zesty/main amd64 libidn11 amd64 1.33-1 [45.0 kB]
Get:6 http://archive.ubuntu.com/ubuntu zesty/main amd64 libp11-kit0 amd64 0.23.3-5 [107 kB]
Get:7 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libtasn1-6 amd64 4.10-1ubuntu0.1 [35.5 kB]
Get:8 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libgnutls30 amd64 3.5.6-4ubuntu4.2 [627 kB]
Get:9 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libssl1.0.0 amd64 1.0.2g-1ubuntu11.2 [1081 kB]
Get:10 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 openssl amd64 1.0.2g-1ubuntu11.2 [491 kB]
Get:11 http://archive.ubuntu.com/ubuntu zesty/main amd64 ca-certificates all 20161130 [193 kB]
Get:12 http://archive.ubuntu.com/ubuntu zesty/main amd64 libopts25 amd64 1:5.18.12-3 [57.0 kB]
Get:13 http://archive.ubuntu.com/ubuntu zesty-updates/universe amd64 gnutls-bin amd64 3.5.6-4ubuntu4.2 [204 kB]
Fetched 3326 kB in 2s (1539 kB/s)
[...]
+ gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net
Processed 173 CA certificate(s).
Resolving 'tvemsnbc-vh.akamaihd.net:443'...
Connecting to '95.101.77.25:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=a248.e.akamai.net,O=Akamai Technologies\, Inc.,L=Cambridge,ST=Massachusetts,C=US', issuer `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', serial 0x0f683f2dfac9edf014148ca649db4bad, EC/ECDSA key 256 bits, signed using ECDSA-SHA256, activated `2017-03-07 00:00:00 UTC', expires `2018-05-06 23:59:59 UTC', SHA-1 fingerprint `557c90a8d8953f3a2c2b59290a5ce12eafa60adf'
 Public Key ID:
  8c08394d28e104af81d099d4d236eef424710a29
 Public key's random art:
  +--[SECP256R1]----+
  |==.B. |
  |E.O+* . |
  |o+==.= |
  | o o=..o |
  |. o.+. S |
  | . . |
  | |
  | |
  | |
  +-----------------+

- Certificate[1] info:
 - subject `CN=Symantec ...

Read more...

tags: added: verification-done-zesty
removed: verification-needed verification-needed-zesty
Revision history for this message
largeprime (largeprime) wrote :

Verifyed working on zesty

Bug was discovered using vlc to access web stream needing tls auth. Debuging pointed at gnutls. Bug resolved after upgrade to patched gnutls.

Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.5.6-4ubuntu4.3

---------------
gnutls28 (3.5.6-4ubuntu4.3) zesty; urgency=medium

  * Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
    - 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
      38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
      gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
      signatures. LP: #1714506
    - 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
      upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and
      decryption on aarch64. LP: #1707172

 -- Julian Andres Klode <email address hidden> Sat, 02 Sep 2017 16:12:49 +0200

Changed in gnutls28 (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for gnutls28 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.