Missing Verisign certs due to broken extract script
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates (Debian) |
Fix Released
|
Unknown
|
|||
ca-certificates (Fedora) |
Won't Fix
|
High
|
|||
ca-certificates (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Verisign shipped G1 PCA Roots with md2 signatures on them. At some point, they resigned those roots using SHA1, but requested that the original certs keep shipping in Mozilla's cert list as they had issued intermediates with AKIs that point to the
MD2 versions.
See discussion here:
https:/
Now, ca-certificates uses a script called "certdata2pem.py" to extract the certificates from the certdata.txt file provided by Mozilla into individual files. Unfortunately, the script names the certificate file using the CKA_LABEL. In two instances, the verisign md2 and sha1 certs have the same CKA_LABEL, so the script is overwriting the first one (md2) with the second one (sha1).
This results in the Verisign md2 certs being missing from the system ca certs.
This usually isn't a problem except in the case where a website is handing out a complete cert chain, including the md2 root cert. When that happens, webkit is unable to verify the md2 root cert, and the connection fails.
Related branches
CVE References
Changed in ca-certificates (Debian): | |
status: | Unknown → New |
Changed in ca-certificates (Ubuntu): | |
status: | New → Confirmed |
Changed in ca-certificates (Debian): | |
status: | New → Fix Committed |
Changed in ca-certificates (Debian): | |
status: | Fix Committed → Fix Released |
Changed in ca-certificates (Fedora): | |
importance: | Unknown → High |
status: | Unknown → Won't Fix |
Description of problem: /www.verisign. com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA"
This certificate is missing. "/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:/
Version-Release number of selected component (if applicable): -2011.70- 2.fc15. noarch
ca-certificates
How reproducible:
Always
Steps to Reproduce: /secure. vonage. com/
1. wget https:/
Actual results:
wget returns error because of missing certificate.
Expected results:
Additional info: