← Back to team overview

desktop-packages team mailing list archive

[Bug 785484] [NEW] Outdated certificate Thawte_Premium_Server_CA.pem

 

You have been subscribed to a public bug:

Release : Kubuntu 11.04
Version of package: unknown package
What I expected: Connect to WPA wireless
What happened: Found problem with Thawte_Premium_Server_CA.pem

I am posting here even though this is Kubuntu 11.04 because this may be
a problem which exists in Ubuntu 11.04 also.

I installed Kubuntu 11.04 yesterday from an iso which was created about
5 days ago. All available updates were installed also. I can access WEP
and non-secured networks with no problems, however my workplace wifi
which uses WPA PEAP with MSCHAPV2 was unable to connect. The certificate
used at my workplace is Thawte_Premium_Server_CA.pem. Every time I tried
to connect, it said that my password was wrong.

At first, I thought that the problem may have been with the KDE network
manager, and so I uninstalled it and installed WICD since this had
solved issues like this in the past. However, I got the same problem.

I then went on the Thawte website and downloaded a copy of the latest
version of Thawte_Premium_Server_CA.pem and to my surprise this is what
I got:

For the original version (the one supplied with Kubuntu 11.04) I get this:
>openssl x509 -text -in Thawte_Premium_Server_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@xxxxxxxxxx
Validity
Not Before: Aug 1 00:00:00 1996 GMT
Not After : Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@xxxxxxxxxx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d2:36:36:6a:8b:d7:c2:5b:9e:da:81:41:62:8f:
38:ee:49:04:55:d6:d0:ef:1c:1b:95:16:47:ef:18:
48:35:3a:52:f4:2b:6a:06:8f:3b:2f:ea:56:e3:af:
86:8d:9e:17:f7:9e:b4:65:75:02:4d:ef:cb:09:a2:
21:51:d8:9b:d0:67:d0:ba:0d:92:06:14:73:d4:93:
cb:97:2a:00:9c:5c:4e:0c:bc:fa:15:52:fc:f2:44:
6e:da:11:4a:6e:08:9f:2f:2d:e3:f9:aa:3a:86:73:
b6:46:53:58:c8:89:05:bd:83:11:b8:73:3f:aa:07:
8d:f4:42:4d:e7:40:9d:1c:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
26:48:2c:16:c2:58:fa:e8:16:74:0c:aa:aa:5f:54:3f:f2 :d7:
c9:78:60:5e:5e:6e:37:63:22:77:36:7e:b2:17:c4:34:b9 :f5:
08:85:fc:c9:01:38:ff:4d:be:f2:16:42:43:e7:bb:5a:46 :fb:
c1:c6:11:1f:f1:4a:b0:28:46:c9:c3:c4:42:7d:bc:fa:ab :59:
6e:d5:b7:51:88:11:e3:a4:85:19:6b:82:4c:a4:0c:12:ad :e9:
a4:ae:3f:f1:c3:49:65:9a:8c:c5:c8:3e:25:b7:94:99:bb :92:
32:71:07:f0:86:5e:ed:50:27:a6:0d:a6:23:f9:bb:cb:a6 :07:
14:42
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMA kGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZS BUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2 VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIF ByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlck B0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCz AJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcG UgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0 NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZS BQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZX JAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwl ue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hn O2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpI UZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----


For the new downloaded version I get :
>openssl x509 -text -in Thawte_Premium_Server_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
36:12:22:96:c5:e3:38:a5:20:a1:d2:5f:4c:d7:09:54
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@xxxxxxxxxx
Validity
Not Before: Aug 1 00:00:00 1996 GMT
Not After : Jan 1 23:59:59 2021 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@xxxxxxxxxx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d2:36:36:6a:8b:d7:c2:5b:9e:da:81:41:62:8f:
38:ee:49:04:55:d6:d0:ef:1c:1b:95:16:47:ef:18:
48:35:3a:52:f4:2b:6a:06:8f:3b:2f:ea:56:e3:af:
86:8d:9e:17:f7:9e:b4:65:75:02:4d:ef:cb:09:a2:
21:51:d8:9b:d0:67:d0:ba:0d:92:06:14:73:d4:93:
cb:97:2a:00:9c:5c:4e:0c:bc:fa:15:52:fc:f2:44:
6e:da:11:4a:6e:08:9f:2f:2d:e3:f9:aa:3a:86:73:
b6:46:53:58:c8:89:05:bd:83:11:b8:73:3f:aa:07:
8d:f4:42:4d:e7:40:9d:1c:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
65:90:ac:88:0f:56:d9:e6:30:34:d4:26:c7:d0:50:f1:92 :de:
6b:d4:39:88:09:22:c6:a6:63:83:03:f7:99:77:d8:b2:e5 :18:
b8:5d:63:f3:d4:73:fb:6c:9c:99:78:f1:4b:78:7d:19:24 :c3:
2b:02:84:f8:bc:22:d9:8a:22:d7:a0:fc:71:ec:91:87:20 :f1:
b8:ec:b1:e5:55:80:ac:3d:52:c8:39:0e:c2:f0:c0:05:4f :d6:
82:75:8c:bd:5f:d2:dc:76:9a:05:12:c9:af:72:c3:dc:25 :7e:
a4:4d:8e:17:a5:e0:87:7f:e1:9a:5a:e1:60:dc:64:23:3c :42:
2e:4d
-----BEGIN CERTIFICATE-----
MIIDNjCCAp+gAwIBAgIQNhIilsXjOKUgodJfTNcJVDANBgkqhk iG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZT ESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZy BjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB 8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFh lwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIxMD EwMTIzNTk1OVow
gc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcG UxEjAQBgNVBAcT
CUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbm cgY2MxKDAmBgNV
BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xIT AfBgNVBAMTGFRo
YXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJAR YZcHJlbWl1bS1z
ZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQ AwgYkCgYEA0jY2
aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+ pW46+GjZ4X9560
ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKb gifLy3j
+ao6hnO2RlNYyIkFvYMRuHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBlkKyID1bZ5jA01CbH0FDxkt5 r1DmI
CSLGpmODA/eZd9iy5Ri4XWPz1HP7bJyZePFLeH0ZJMMrAoT4vCLZiiLXoPxx 7JGH
IPG47LHlVYCsPVLIOQ7C8MAFT9aCdYy9X9LcdpoFEsmvcsPcJX 6kTY4XpeCHf+Ga
WuFg3GQjPEIuTQ==
-----END CERTIFICATE-----


The first thing that caught my attention was the serial number, and then the signature algorithm. The version supplied with Kubuntu is not the same as that supplied by the official website. Once I installed the new version that I had just downloaded, WICD was able to connect to my workplace network with no problems.

It might be worth looking at all the certs and making sure they are up
to date.

** Affects: network-manager (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: kubuntu natty ssl
-- 
Outdated certificate Thawte_Premium_Server_CA.pem
https://bugs.launchpad.net/bugs/785484
You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu.