Breaks certs with DOS-style line endings

Bug #855454 reported by Loïc Minier on 2011-09-21
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu One storage protocol
High
Loïc Minier
ca-certificates (Ubuntu)
Undecided
Loïc Minier
openssl (Debian)
Fix Released
Unknown
openssl (Ubuntu)
Undecided
Loïc Minier
ubuntuone-storage-protocol (Ubuntu)
High
Natalia Bidart

Bug Description

Update of openssl from 1.0.0d-2ubuntu2 to 1.0.0e-2ubuntu1 broke the c_rehash parsing of certificates with DOS-style line endings.

This was only uncovered by a recent ca-certificates update which triggered a rebuild of /etc/ssl/certs.

Loïc Minier (lool) wrote :
Loïc Minier (lool) wrote :

before:
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 01234567
verify return:1
depth=0 O = f.q.d.n, OU = Domain Control Validated, CN = f.q.d.n
verify return:1
---
Certificate chain
 0 s:/O=f.q.d.n/OU=Domain Control Validated/CN=f.q.d.n
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

after:
depth=0 O = f.q.d.n, OU = Domain Control Validated, CN = f.q.d.n
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = f.q.d.n, OU = Domain Control Validated, CN = f.q.d.n
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = f.q.d.n, OU = Domain Control Validated, CN = f.q.d.n
verify error:num=21:unable to verify the first certificate
verify return:1

Loïc Minier (lool) wrote :

Missed this part in the after bits:
Certificate chain
 0 s:/O=f.q.d.n/OU=Domain Control Validated/CN=f.q.d.n
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

Loïc Minier (lool) wrote :
Download full text (11.1 KiB)

From upgrade log:
Paramétrage de libglib2.0-0:i386 (2.29.92-0ubuntu1) ...
Paramétrage de ca-certificates (20110502+nmu1ubuntu3) ...
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate certificate UbuntuOne-Go_Daddy_Class_2_CA.pem
WARNING: Skipping duplicate certificate UbuntuOne-Go_Daddy_Class_2_CA.pem
WARNING: Skipping duplicate certificate IGC_A.pem
WARNING: Skipping duplicate certificate IGC_A.pem
155 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Replacing debian:brasil.gov.br.pem
Replacing debian:cacert.org.pem
Replacing debian:ca.pem
Replacing debian:cert_igca_dsa.pem
Replacing debian:cert_igca_rsa.pem
Replacing debian:AOL_Time_Warner_Root_Certification_Authority_1.pem
Replacing debian:AOL_Time_Warner_Root_Certification_Authority_2.pem
Replacing debian:AddTrust_External_Root.pem
Replacing debian:AddTrust_Low-Value_Services_Root.pem
Replacing debian:AddTrust_Public_Services_Root.pem
Replacing debian:AddTrust_Qualified_Certificates_Root.pem
Replacing debian:America_Online_Root_Certification_Authority_1.pem
Replacing debian:America_Online_Root_Certification_Authority_2.pem
Replacing debian:Baltimore_CyberTrust_Root.pem
Replacing debian:COMODO_Certification_Authority.pem
Replacing debian:Camerfirma_Chambers_of_Commerce_Root.pem
Replacing debian:Camerfirma_Global_Chambersign_Root.pem
Replacing debian:Certplus_Class_2_Primary_CA.pem
Replacing debian:Certum_Root_CA.pem
Replacing debian:Comodo_AAA_Services_root.pem
Replacing debian:Comodo_Secure_Services_root.pem
Replacing debian:Comodo_Trusted_Services_root.pem
Replacing debian:DST_ACES_CA_X6.pem
Replacing debian:DST_Root_CA_X3.pem
Replacing debian:DigiCert_Assured_ID_Root_CA.pem
Replacing debian:DigiCert_Global_Root_CA.pem
Replacing debian:DigiCert_High_Assurance_EV_Root_CA.pem
Replacing debian:Digital_Signature_Trust_Co._Global_CA_1.pem
Replacing debian:Digital_Signature_Trust_Co._Global_CA_3.pem
Replacing debian:Entrust.net_Premium_2048_Secure_Server_CA.pem
Replacing debian:Entrust.net_Secure_Server_CA.pem
Replacing debian:Entrust_Root_Certification_Authority.pem
Replacing debian:Equifax_Secure_CA.pem
Replacing debian:Equifax_Secure_eBusiness_CA_1.pem
Replacing debian:Equifax_Secure_eBusiness_CA_2.pem
Replacing debian:Firmaprofesional_Root_CA.pem
Replacing debian:GTE_CyberTrust_Global_Root.pem
Replacing debian:GeoTrust_Global_CA.pem
Replacing debian:GeoTrust_Global_CA_2.pem
Replacing debian:GeoTrust_Primary_Certification_Authority.pem
Replacing debian:GeoTrust_Universal_CA.pem
Replacing debian:GeoTrust_Universal_CA_2.pem
Replacing debian:GlobalSign_Root_CA.pem
Replacing debian:GlobalSign_Root_CA_-_R2.pem
Replacing debian:Go_Daddy_Class_2_CA.pem
Replacing debian:NetLock_Business_=Class_B=_Root.pem
Replacing debian:NetLock_Express_=Class_C=_Root.pem
Replacing debian:NetLock_Notary_=Class_A=_Root.pem
Replacing debian:NetLock_Qualified_=Class_QA=_Root.pem
Replacing debian:QuoVadis_Root_CA.pem
Replacing debian:QuoVadis_Root_CA_2.pem
Replacing debian:QuoVadis_Root_CA_3.pem
Replacing debian:RSA_Root_Certificate_1.pem
Replacing debian:RSA_Security_2048_v3.pem
Replacing debian:SecureTrust_CA.pem
Replacing debi...

Loïc Minier (lool) wrote :

Oddly enough:
/etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem
        Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
        Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287

/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem
        Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
        Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority

so the intermediate cert is there, but is considered a duplicate.

Also, the target host should be fixed to serve the intermediate CA.

Marc Deslauriers (mdeslaur) wrote :

UbuntuOne-Go_Daddy_Class_2_CA.pem is a duplicate of Go_Daddy_Class_2_CA.pem

Loïc Minier (lool) wrote :

/etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem has DOS CRLF line endings; after I converted it to UNIX line endings and ran c_rehash in /etc/ssl/certs, things worked.

Loïc Minier (lool) wrote :

This is due to changes in the last openssl merge from Debian, presumably themselves coming from upstream, where openssl's tools/c_rehash.in got an updated check_file to validate certs before processing them. Apparently this broke support for DOS-style line endings.

Changed in ubuntuone-storage-protocol:
status: New → In Progress
assignee: nobody → Loïc Minier (lool)
affects: ca-certificates (Ubuntu) → openssl (Ubuntu)
Loïc Minier (lool) on 2011-09-21
summary: - Breaks some roots
+ Breaks certs with DOS-style line endings
description: updated
description: updated
Loïc Minier (lool) wrote :

NB: I've contacted the site's owner to add the intermediate CA to their SSL setup.

Changed in openssl (Debian):
status: Unknown → New
Changed in ubuntuone-storage-protocol:
status: In Progress → Fix Committed
Changed in ubuntuone-storage-protocol:
milestone: none → 2.0.0
importance: Undecided → High
Changed in ubuntuone-storage-protocol (Ubuntu):
status: New → Triaged
assignee: nobody → Natalia Bidart (nataliabidart)
milestone: none → ubuntu-11.10
importance: Undecided → High
Rodney Dawes (dobey) on 2011-09-26
Changed in ubuntuone-storage-protocol:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-storage-protocol - 2.0.0-0ubuntu1

---------------
ubuntuone-storage-protocol (2.0.0-0ubuntu1) oneiric; urgency=low

  * New upstream release.
    - Use UNIX-style line endings in certs (LP: #855454)
 -- Rodney Dawes <email address hidden> Mon, 26 Sep 2011 16:01:33 -0400

Changed in ubuntuone-storage-protocol (Ubuntu):
status: Triaged → Fix Released
Loïc Minier (lool) on 2011-09-27
Changed in openssl (Ubuntu):
assignee: nobody → Loïc Minier (lool)
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.0.0e-2ubuntu2

---------------
openssl (1.0.0e-2ubuntu2) oneiric; urgency=low

  * Unapply patch c_rehash-multi and comment it out in the series as it breaks
    parsing of certificates with CRLF line endings and other cases (see
    Debian #642314 for discussion), it also changes the semantics of c_rehash
    directories by requiring applications to parse hash link targets as files
    containing potentially *multiple* certificates rather than exactly one.
    LP: #855454.
 -- Loic Minier <email address hidden> Tue, 27 Sep 2011 18:13:07 +0200

Changed in openssl (Ubuntu):
status: Fix Committed → Fix Released
Loïc Minier (lool) on 2011-09-27
Changed in ca-certificates (Ubuntu):
assignee: nobody → Loïc Minier (lool)
status: New → In Progress
Loïc Minier (lool) on 2011-09-27
Changed in ca-certificates (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20110502+nmu1ubuntu4

---------------
ca-certificates (20110502+nmu1ubuntu4) oneiric; urgency=low

  * Run update-ca-certificates --fresh on upgrades from versions older than
    this one as to remove links created by patched c_rehash or add missing
    links; depend on fixed openssl; drop after oneiric; see Debian #642314;
    LP: #855454.
 -- Loic Minier <email address hidden> Tue, 27 Sep 2011 21:26:40 +0200

Changed in ca-certificates (Ubuntu):
status: Fix Committed → Fix Released

Does any of this need to be backported to Lucid (LTS)? I'm not sure I quite understand the exact implications of this ticket but I have noticed on my LTS machine postfix complains:

Dec 15 10:53:32 linux postfix/smtp[5608]: certificate verification failed for example.domain.com[192.168.0.1]:25: untrusted issuer /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Changed in openssl (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.