group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #40487
[Bug 1944481] Re: Distrust "DST Root CA X3"
This bug was fixed in the package ca-certificates - 20210119ubuntu1
---------------
ca-certificates (20210119ubuntu1) impish; urgency=medium
[ Dimitri John Ledkov ]
* mozilla/blacklist.txt: blacklist expired "DST Root CA X3".
(LP: #1944481)
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Wed, 22 Sep 2021
07:46:54 -0400
** Changed in: ca-certificates (Ubuntu Impish)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1944481
Title:
Distrust "DST Root CA X3"
Status in ca-certificates package in Ubuntu:
Fix Released
Status in ca-certificates source package in Trusty:
Fix Released
Status in ca-certificates source package in Xenial:
Fix Released
Status in ca-certificates source package in Bionic:
Fix Released
Status in ca-certificates source package in Focal:
Fix Released
Status in ca-certificates source package in Hirsute:
Fix Released
Status in ca-certificates source package in Impish:
Fix Released
Bug description:
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified.
* This is similar to how this was handled for AddTrust before
"* mozilla/blacklist.txt: blacklist expired AddTrust External Root
CA."
[Test Plan]
* Install old/current ca-certificates faketime wget curl
libcurl3-gnutls
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
Issued certificate has expired.
To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.
# LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
* Install new ca-certificates package
# faketime 2021-10-01 wget https://pskov.surgut.co.uk
--2021-10-01 00:00:00-- https://pskov.surgut.co.uk/
Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5
Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612 [text/html]
Saving to: 'index.html.3'
100%[====================================================>] 612
--.-K/s in 0s
2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 612 100 612 0 0 5794 0 --:--:-- --:--:-- --:--:-- 5828
Download is successful.
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime
set to dates prior to 30th of September 2021 will not work, as "DST
Root CA X3" certificate is no longer installed. users should locally
install and enable that CA certificate, or allow dangerous unverified
connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions