gnutls28 in trusty no longer validates many valid certificate chains, such as google.com
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnutls28 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Julian Andres Klode |
Bug Description
[Impact]
Recently, due to some combination of the recent ca-certificate SRU and server certificate chain reconfigurations, the gnutls28 package in trusty was left unable to validate many valid certificate chains, such as that of google.com.
0 s:/C=US/
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=
The problem is that although GeoTrust Global CA is a trusted certificate, gnutls28 gives up after noting that Equifax Secure Certificate Authority is not. This bug was fixed upstream by these commits:
https:/
https:/
https:/
[Test Case]
One way to reproduce this is by building and running gnutls-cli:
$ apt-get build-dep gnutls28
$ apt-get source gnutls28
$ cd gnutls28-3.2.11
$ debian/rules build
$ ./src/gnutls-cli google.com
Processed 118 CA certificate(s).
Resolving 'google.com'...
Connecting to '2607:f8b0:
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `C=US,ST=
Public Key ID:
e3e4e591a1131
Public key's random art:
+--[ EC 256]----+
|o .o. |
|E . . . |
| . . . o. . |
| . = o o |
| . B oS + |
| . o =+o= . |
| . oo . |
| . . |
| oo.++ |
+----
- Certificate[1] info:
- subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2017-05-22 11:32:37 UTC', expires `2018-12-31 23:59:59 UTC', SHA-1 fingerprint `a6120fc0b4664f
- Certificate[2] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
(Note that the gnutls-cli binary in trusty’s gnutls-bin package comes from gnutls26, which seems to have already received the necessary updates, although it requires the ‘--x509cafile /etc/ssl/
[Regression Potential]
Most GnuTLS-dependent packages in trusty use gnutls26 rather than gnutls28, so potential regressions, if any, would likely manifest in self-compiled binaries and PPA packages that were specifically compiled against gnutls28. (I noticed this bug in the first place because vlc from ppa:jonathonf/vlc became unable to play YouTube videos.)
tags: | added: patch |
Changed in gnutls28 (Ubuntu): | |
status: | New → Fix Released |
Changed in gnutls28 (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in gnutls28 (Ubuntu): | |
importance: | Undecided → High |
Here is a patch for trusty that backports the relevant parts of the three upstream commits fixing this bug.