touch-packages team mailing list archive

Thread
Date

[Bug 1255485] Re: StartCom Certification Authority G2 CA cert missing

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Rolf Leggewie <1255485@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Jun 2015 11:44:07 -0000
Reply-to: Bug 1255485 <1255485@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".

** Changed in: ca-certificates (Ubuntu Lucid)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1255485

Title:
  StartCom Certification Authority G2 CA cert missing

Status in ca-certificates package in Ubuntu:
  Fix Released
Status in ca-certificates source package in Lucid:
  Won't Fix
Status in ca-certificates source package in Precise:
  Confirmed
Status in ca-certificates source package in Quantal:
  Won't Fix

Bug description:
  I'm getting this on a Lucid Lynx server:

  $ wget https://www.sourceware.org
  --2013-11-27 10:48:12--  https://www.sourceware.org/
  Resolving www.sourceware.org... 209.132.180.131
  Connecting to www.sourceware.org|209.132.180.131|:443... connected.
  ERROR: cannot verify www.sourceware.org's certificate, issued by `/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA':
    Self-signed certificate encountered.
  To connect to www.sourceware.org insecurely, use `--no-check-certificate'.

  
  Similarly with curl:

  $ curl https://www.sourceware.org
  curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  More details here: http://curl.haxx.se/docs/sslcerts.html

  curl performs SSL certificate verification by default, using a "bundle"
   of Certificate Authority (CA) public keys (CA certs). If the default
   bundle file isn't adequate, you can specify an alternate file
   using the --cacert option.
  If this HTTPS server uses a certificate signed by a CA represented in
   the bundle, the certificate verification probably failed due to a
   problem with the certificate (it might be expired, or the name might
   not match the domain name in the URL).
  If you'd like to turn off curl's verification of the certificate, use
   the -k (or --insecure) option.

  I presume the certificates are just too old, but there might be a
  problem with openssl, or something, I suppose.

  Since Lucid is still supported for another 17 months, on the server, I
  think this ought to be fixed.

  I'm marking it as a security issue even though it is the user's
  security that is vulnerable, not the system, so apologies if that's
  not appropriate.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1255485/+subscriptions