Launchpad has imported 9 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=733032.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help
** Branch linked: lp:debian/wheezy/ca-certificates
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1031333
Title:
Missing Verisign certs due to broken extract script
To manage notifications about thi
This bug was fixed in the package ca-certificates -
20130906ubuntu0.12.04.1
---
ca-certificates (20130906ubuntu0.12.04.1) precise-security; urgency=medium
* Update ca-certificates database to 20130906 (LP: #1257265):
- backport changes from the Ubuntu 14.04 20130906ubuntu1 packa
This bug was fixed in the package ca-certificates -
20130906ubuntu0.10.04.1
---
ca-certificates (20130906ubuntu0.10.04.1) lucid-security; urgency=medium
* Update ca-certificates database to 20130906 (LP: #1257265, LP: #1271357):
- backport changes from the Ubuntu 14.04 20130906u
This bug was fixed in the package ca-certificates -
20130906ubuntu0.13.10.1
---
ca-certificates (20130906ubuntu0.13.10.1) saucy-security; urgency=medium
* Update ca-certificates database to 20130906 (LP: #1257265):
- backport changes from the Ubuntu 14.04 20130906ubuntu1 package
** Changed in: ca-certificates (Debian)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1031333
Title:
Missing Verisign certs due to broken extract script
** Branch linked: lp:debian/ca-certificates
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1031333
Title:
Missing Verisign certs due to broken extract script
To manage notifications about this bug g
** Branch linked: lp:~ubuntu-branches/ubuntu/lucid/ca-certificates
/lucid-proposed
** Branch linked: lp:~ubuntu-branches/ubuntu/precise/ca-certificates
/precise-proposed
** Branch linked: lp:ubuntu/quantal-proposed/ca-certificates
** Branch linked: lp:ubuntu/saucy-proposed/ca-certificates
--
Y
** Changed in: ca-certificates (Debian)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1031333
Title:
Missing Verisign certs due to broken extract script
To manag
> I'm not sure there are any left though.
There are. As of today 5/11/2013, Verisign's md2 certificate *is* still in use,
i.e., still being sent out as part of the cert chain at actual sites,
see e.g., pip.verisignlabs.com -- which is Verisign/Symantec's openid provider
and thus may be particul
** Changed in: ca-certificates (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1031333
Title:
Missing Verisign certs due to broken extract script
To manage no
** Changed in: ca-certificates (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1031333
Title:
Missing Verisign certs due to broken extract script
To manage noti
Thanks Marc, indeed you are right :)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1031333
Title:
Missing Verisign certs due to broken extract script
To manage notifications about this bug go to:
h
mozilla and Chromium still have the md2 cert, because VeriSign had issued
intermediates with AKIs that point to the
MD2 versions. I'm not sure there are any left though.
If you remove the md2 cert from firefox, and restart it, it will still
validate the site correctly.
You need to tell openssl w
Fwiw, when inspecting the site with mozilla and chromeium I see the md2
cert in the root of the chain.
And openssl returns:
$ openssl s_client -connect secure-test.streamline-esolutions.com:443 ; openssl
s_client -connect secure-test.streamline-esolutions.com
Verify return code: 19 (self sign
I've opened LP: #1033516 for the bug that glib-networking (and libsoup
>= 2.37) won't validate properly using the sha1 cert.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1031333
Title:
Missing Veri
It seems like the problem is the following:
GNUTLS:
- gnutls passes all certificates in /etc/ssl/certs/ca-certificates.crt
- the server secure-test.streamline-esolutions.com returns a certificate that
is signed with the Verisign_Class_3_Public_Primary_Certification_Authority.pem
certificate with
I looked a bit at the gio code this morning and it appears the problem
with the site in question is that gtlsdatabase-
gnutls.c:build_certificate_chain does not find a "anchor" and therefore
passes NULL as the anchors to gnutls_x509_crt_list_verify() which always
fails with "*output |= GNUT
** Bug watch added: Red Hat Bugzilla #733032
https://bugzilla.redhat.com/show_bug.cgi?id=733032
** Also affects: ca-certificates (Fedora) via
https://bugzilla.redhat.com/show_bug.cgi?id=733032
Importance: Unknown
Status: Unknown
--
You received this bug notification because you a
OK, I am now convinced that we don't need the md2 certs, applications
should be able to validate using the sha1 certs. I believe a bug in
libsoup/glib-networking is causing the sha1 certs to not be used.
We still should improve ca-certificates to make _sure_ that we're
shipping the sha1 certs inst
These are _root_ certs, the crypto library doesn't verify the signatures
on root certs, since they are self-signed.
If we really don't want to ship md2 root certs, we need to make sure ca-
certificates deliberately disables them, instead of overwriting them by
coincidence just because they are lis
I think it would be irresponsible to provide MD2-signed certificates.
The discussion is dated 2009. I think ca-certificates should provide
neither MD2 nor MD5 root certificates. And MD2 verification should be
unsupported in the crypto lib anyway (see CVE-2009-2409).
** CVE added: http://www.cve.mi
** Bug watch added: Debian Bug tracker #683403
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683403
** Also affects: ca-certificates (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683403
Importance: Unknown
Status: Unknown
--
You received this bug notification b
Here is a small reproducer that shows the issue with a website that
needs the md2 Verisign cert.
** Attachment added: "Reproducer for issue"
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1031333/+attachment/3243720/+files/webkit-missing-cert.py
--
You received this bug notif
24 matches
Mail list logo
