FS#66854 - [gnutls] outdated root cert for "USERTrust RSA Certification Authority"?
Attached to Project:
Arch Linux
Opened by Luca De Feo (defeo) - Monday, 01 June 2020, 14:36 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 02 June 2020, 08:12 GMT
Opened by Luca De Feo (defeo) - Monday, 01 June 2020, 14:36 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 02 June 2020, 08:12 GMT
|
Details
Description:
GnuTLS seems to trust an outdated root certificate for "USERTrust RSA Certification Authority", expired on May 30. Here's an example that passes verification with OpenSSL and NSS, but fails with GnuTLS: $ gnutls-cli --sni-hostname=rf.proxycast.org rf.proxycast.org Processed 150 CA certificate(s). Resolving 'rf.proxycast.org:443'... Connecting to '15.188.224.177:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=rf.proxycast.org,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated', issuer `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial 0x00f0000c6f5d07279684275810503c5393, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-01-24 00:00:00 UTC', expires `2021-01-24 23:59:59 UTC', pin-sha256="Dd45iq/iE+Q7ISQ7k9053Fsxx7bz5FW0qihb0M39Jqk=" Public Key ID: sha1:828bb18626187a8e919b4d37aa34ba90e3057961 sha256:0dde398aafe213e43b21243b93dd39dc5b31c7b6f3e455b4aa285bd0cdfd26a9 Public Key PIN: pin-sha256:Dd45iq/iE+Q7ISQ7k9053Fsxx7bz5FW0qihb0M39Jqk= - Certificate[1] info: - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 23:59:59 UTC', pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=" - Certificate[2] info: - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Tuesday, 02 June 2020, 08:12 GMT
Reason for closing: Upstream
Additional comments about closing: 3.6.14 will be out very soon
Tuesday, 02 June 2020, 08:12 GMT
Reason for closing: Upstream
Additional comments about closing: 3.6.14 will be out very soon
- rf.proxycast.org is incorrectly serving a root certificate for USERTrust,
- GnuTLS tries to validate the root cert, and finds it is expired,
- OpenSSL and NSS, instead, just ignore it and use the locally stored root cert for USERTrust.
Correct? Then, does this mean I can "misconfigure" my server to serve an arbitrary root cert created by me, and fool GnuTLS into believing the certificate chain is valid?
https://gitlab.com/gnutls/gnutls/-/issues/1008
https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration
https://mail.gnome.org/archives/distributor-list/2020-June/msg00000.html
I believe upstream is working on releasing 3.6.14 as we speak though.
A lot of certificate blabla here, sadly you cannot open it with Epiphany:
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020