[Bug 1722411] Re: gnutls28 in trusty no longer validates many valid certificate chains, such as google.com

Łukasz Zemczak 1722411 at bugs.launchpad.net
Thu Jul 5 08:23:19 UTC 2018 

@andersk The requirement has been around either since always or at least
since a very long time, please see SRU acceptance comment #18:

"(...)
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty.
(...)"

It's been multiple times where people were testing versions from PPAs
instead of the -proposed pocket. Also, the SRU team by accepting a
package validation needs to have some level of certainty that the tester
actually performed the required tests on the package. We had countless
cases of testers just marking packages as verified without doing
anything, or not going through all the required test cases. Having a
version number at least gives us some information and a better sense
that the test result can be trusted. Of course, people can just copy-
paste and cheat anyway, but that's one additional step they need to
perform at least.

In most cases we're not even accepting test results without mentioning
what specific tests have been performed. The more verbosity the better,
since we have more proof. If we'd believe blindly in whatever anyone
just says we'd have more broken packages for no reason. Anyone can say
"works for me", and many people do, but then subtle things like:
"whoops, I actually tested the wrong version" pop up here and there
because the tested PPA-built package that seemingly had the same
contents could be busted in the -proposed archives due to different
package dependencies being available.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1722411

Title:
  gnutls28 in trusty no longer validates many valid certificate chains,
  such as google.com

Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Trusty:
  Fix Released

Bug description:
  [Impact]

  Recently, due to some combination of the recent ca-certificate SRU and
  server certificate chain reconfigurations, the gnutls28 package in
  trusty was left unable to validate many valid certificate chains, such
  as that of google.com.

   0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
     i:/C=US/O=Google Inc/CN=Google Internet Authority G2
   1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
     i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

  The problem is that although GeoTrust Global CA is a trusted
  certificate, gnutls28 gives up after noting that Equifax Secure
  Certificate Authority is not.  This bug was fixed upstream by these
  commits:

  https://gitlab.com/gnutls/gnutls/commit/72a7b8e63f76c7f2faf482bdbf4e740b82a1fae9
  https://gitlab.com/gnutls/gnutls/commit/9dbe3aab9e157ef8f7a67112a4619d4f028519dc
  https://gitlab.com/gnutls/gnutls/commit/d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31

  [Test Case]

  One way to reproduce this is by building and running gnutls-cli:

  $ apt-get build-dep gnutls28
  $ apt-get source gnutls28
  $ cd gnutls28-3.2.11
  $ debian/rules build
  $ ./src/gnutls-cli google.com
  Processed 118 CA certificate(s).
  Resolving 'google.com'...
  Connecting to '2607:f8b0:4009:811::200e:443'...
  - Certificate type: X.509
  - Got a certificate list of 3 certificates.
  - Certificate[0] info:
   - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', EC key 256 bits, signed using RSA-SHA256, activated `2017-09-26 11:09:35 UTC', expires `2017-12-19 10:59:00 UTC', SHA-1 fingerprint `a2a8d7ae1097865469dd5cf830896b930b704c8c'
  	Public Key ID:
  		e3e4e591a11311b8c92f8cddbebbea025d0e2088
  	Public key's random art:
  		+--[  EC  256]----+
  		|o      .o.       |
  		|E .   .  .       |
  		| . . . o. .      |
  		|    . =  o o     |
  		|   . B oS +      |
  		|  . o =+o= .     |
  		|   .   oo .      |
  		|    .   .        |
  		|     oo.++       |
  		+-----------------+

  - Certificate[1] info:
   - subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2017-05-22 11:32:37 UTC', expires `2018-12-31 23:59:59 UTC', SHA-1 fingerprint `a6120fc0b4664fad0b3b6ffd5f7a33e561ddb87d'
  - Certificate[2] info:
   - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
  - Status: The certificate is NOT trusted. The certificate issuer is unknown. 
  *** Verifying server certificate failed...
  *** Fatal error: Error in the certificate.
  *** Handshake has failed
  GnuTLS error: Error in the certificate.

  (Note that the gnutls-cli binary in trusty’s gnutls-bin package comes
  from gnutls26, which seems to have already received the necessary
  updates, although it requires the ‘--x509cafile /etc/ssl/certs/ca-
  certificates.crt’ option.)

  [Regression Potential]

  Most GnuTLS-dependent packages in trusty use gnutls26 rather than
  gnutls28, so potential regressions, if any, would likely manifest in
  self-compiled binaries and PPA packages that were specifically
  compiled against gnutls28.  (I noticed this bug in the first place
  because vlc from ppa:jonathonf/vlc became unable to play YouTube
  videos.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1722411/+subscriptions

More information about the foundations-bugs mailing list