← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #27649

[Bug 1031333] Re: Missing Verisign certs due to broken extract script

  Thread PreviousDate PreviousThread Next 
** Branch linked: lp:debian/wheezy/ca-certificates

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1031333

Title:
  Missing Verisign certs due to broken extract script

Status in “ca-certificates” package in Ubuntu:
  Fix Released
Status in “ca-certificates” package in Debian:
  Fix Released
Status in “ca-certificates” package in Fedora:
  Unknown

Bug description:
  Verisign shipped G1 PCA Roots with md2 signatures on them. At some point, they resigned those roots using SHA1, but requested that the original certs keep shipping in Mozilla's cert list as they had issued intermediates with AKIs that point to the
  MD2 versions.

  See discussion here:
  https://groups.google.com/forum/?fromgroups#!msg/mozilla.dev.security.policy/I6bUbW3WkBU/lRxqGv6vYHYJ

  
  Now, ca-certificates uses a script called "certdata2pem.py" to extract the certificates from the certdata.txt file provided by Mozilla into individual files. Unfortunately, the script names the certificate file using the CKA_LABEL. In two instances, the verisign md2 and sha1 certs have the same CKA_LABEL, so the script is overwriting the first one (md2) with the second one (sha1).

  This results in the Verisign md2 certs being missing from the system ca certs.
  This usually isn't a problem except in the case where a website is handing out a complete cert chain, including the md2 root cert. When that happens, webkit is unable to verify the md2 root cert, and the connection fails.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1031333/+subscriptions
  Thread PreviousDate PreviousThread Next