expiring trust anchor compatibility issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnutls28 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Won't Fix
|
High
|
Unassigned | ||
Trusty |
Won't Fix
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Dimitri John Ledkov | ||
Bionic |
Fix Released
|
High
|
Dimitri John Ledkov | ||
Focal |
New
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* gnutls28 fails to talk to letsencrypt website past September 2021, despite trusting the letsencrypt root certificate.
[Test Plan]
* Import staging cert equivalent to ISRG Root X1 https:/
* Import expired staging cert equivalen tto DST Root CA X3
https:/
* Test connectivity to the expired-root-ca test website
https:/
setup:
apt install wget gnutls-bin
wget https:/
wget https:/
cat letsencrypt-
test case:
gnutls-cli --x509cafile=ca.pem expired-
bad result:
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
good result:
- Status: The certificate is trusted.
- Description: (TLS1.3-
- Session ID: A8:2B:AF:
- Options: OCSP status request,
- Handshake was completed
Connection should be successful and trusted with correctly working gnutls client that can manage to ignore expired CA, and build a valid trust path using non-expired CA in the chain.
[Where problems could occur]
* Changes as to how the trust paths are built in TLS connection may result in introducing bugs (failure to connect to valid sites) and/or security vulnerabilities (connecting to invalid sites successfully).
[Other Info]
* Background info
* The current chain from letsencrypt is expiring, they are adding a new chain, but also keeping the expiring one. This will result in connectivity issues when using old gnutls/openssl against websites using the default letsencrypt configuration after September 2021.
https:/
https:/
Currently gnutls28 in bionic and earlier will not establish a connection, if any parts of the trust chain have expired, even though alternative non-expired chains are available.
This has been fixed in GnuTLS 3.6.14, but probably should be backported to bionic and earlier if it was not already been done so.
https:/
https:/
Openssl bug report for this issue is https:/
Bionic packages available from https:/
Xenial packages available from https:/
Changed in gnutls28 (Ubuntu): | |
status: | New → Fix Released |
information type: | Public → Public Security |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: letsencrypt |
description: | updated |
tags: |
added: letsencryptexpiry removed: letsencrypt |
Changed in gnutls28 (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in gnutls28 (Ubuntu Precise): | |
status: | New → Won't Fix |
Changed in gnutls28 (Ubuntu Bionic): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
description: | updated |
Changed in gnutls28 (Ubuntu Xenial): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
status: | New → In Progress |
Changed in gnutls28 (Ubuntu): | |
importance: | Undecided → High |
Changed in gnutls28 (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in gnutls28 (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in gnutls28 (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in gnutls28 (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in gnutls28 (Ubuntu Trusty): | |
status: | Confirmed → Won't Fix |
Changed in gnutls28 (Ubuntu Focal): | |
status: | Confirmed → New |
Status changed to 'Confirmed' because the bug affects multiple users.