Ubuntu
gnutls13 package

Comment 0 for bug 305264

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2008-12-04:

I noticed recently that landscape-client could no longer contact our staging server. Fortunately, contacting the production server is still ok.

This command is an easy way to reproduce the problem. It is failing against staging.landscape.canonical.com:

gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt staging.landscape.canonical.com

I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get an update.

I concentrated the rest of my tests in dapper.

With libgnutls12_1.2.9-2ubuntu1_i386.deb it works.
With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks.

Here is the chain as seen by gnutls against staging.landscape.canonical.com:
[0]
Subject's DN: O=*.landscape.canonical.com,OU=Domain Control Validated,CN=*.landscape.canonical.com
Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287

[1]
Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287
Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority

[2]
Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,<email address hidden>

[3]
Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,<email address hidden>
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,<email address hidden>

Notice that the last certificate in the chain is the CA certificate, which is self signed. I wonder if the recent security fix broke that:
- debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
if it is self-signed in lib/x509/verify.c

Here is openssl's chain against the same site (staging):
Certificate chain
0 s:/O=*.landscape.canonical.com/OU=Domain Control Validated/CN=*.landscape.canonical.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>

Openssl's s_client tool works, btw.

I noticed recently that landscape-client could no longer contact our staging server. Fortunately, contacting the production server is still ok.

This command is an easy way to reproduce the problem. It is failing against staging.landscape.canonical.com:

gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt staging.landscape.canonical.com

I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get an update.

I concentrated the rest of my tests in dapper.

With libgnutls12_1.2.9-2ubuntu1_i386.deb it works.
With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks.

[3]
Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com

Notice that the last certificate in the chain is the CA certificate, which is self signed. I wonder if the recent security fix broke that:
    - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
      if it is self-signed in lib/x509/verify.c

Here is openssl's chain against the same site (staging):
Certificate chain
 0 s:/O=*.landscape.canonical.com/OU=Domain Control Validated/CN=*.landscape.canonical.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com

Openssl's s_client tool works, btw.

Ubuntugnutls13 package

Comment 0 for bug 305264

Ubuntu
gnutls13 package