group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1944481] Re: Distrust "DST Root CA X3"

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1944481@xxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Sep 2021 11:48:47 -0000
Reply-to: Bug 1944481 <1944481@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package ca-certificates -
20210119ubuntu0.21.04.1

---------------
ca-certificates (20210119ubuntu0.21.04.1) hirsute-security; urgency=medium

  [ Dimitri John Ledkov ]
  * mozilla/blacklist.txt: blacklist expired "DST Root CA X3".
    (LP: #1944481)

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 22 Sep 2021
07:46:54 -0400

** Changed in: ca-certificates (Ubuntu Hirsute)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1944481

Title:
  Distrust "DST Root CA X3"

Status in ca-certificates package in Ubuntu:
  New
Status in ca-certificates source package in Trusty:
  New
Status in ca-certificates source package in Xenial:
  New
Status in ca-certificates source package in Bionic:
  Fix Released
Status in ca-certificates source package in Focal:
  Fix Released
Status in ca-certificates source package in Hirsute:
  Fix Released
Status in ca-certificates source package in Impish:
  New

Bug description:
  [Impact]

   * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
   * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
   * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
   * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
   * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
   * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
   * This is similar to how this was handled for AddTrust before

  "* mozilla/blacklist.txt: blacklist expired AddTrust External Root
  CA."

  [Test Plan]

   * Install old/current ca-certificates faketime wget curl
  libcurl3-gnutls

  # faketime 2021-10-01 wget https://pskov.surgut.co.uk
  --2021-10-01 00:00:00--  https://pskov.surgut.co.uk/
  Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
  Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
  ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
    Issued certificate has expired.
  To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.

  # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  curl: (60) SSL certificate problem: certificate has expired

   * Install new ca-certificates package

  # faketime 2021-10-01 wget https://pskov.surgut.co.uk
  --2021-10-01 00:00:00--  https://pskov.surgut.co.uk/
  Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
  Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 612 [text/html]
  Saving to: 'index.html.3'

  100%[====================================================>] 612
  --.-K/s   in 0s

  2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]

   LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   612  100   612    0     0   5794      0 --:--:-- --:--:-- --:--:--  5828

  Download is successful.

  [Where problems could occur]

   * Connectivity to "DST Root CA X3" websites only, even under faketime
  set to dates prior to 30th of September 2021 will not work, as "DST
  Root CA X3" certificate is no longer installed. users should locally
  install and enable that CA certificate, or allow dangerous unverified
  connectivity to websites using expired CA certs.

  [Other Info]

   * Related openssl and gnutls28 bugs are
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and
  https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions