FEDORA-2020-6ec1d85ab1 created by ueno 2 years ago for Fedora 32
stable

This fixes certificate chain validation involving the expired "AddTrust External Root".

How to install

sudo dnf upgrade --advisory=FEDORA-2020-6ec1d85ab1

This update has been submitted for testing by ueno.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago

This update's test gating status has been changed to 'ignored'.

2 years ago
User Icon cheimes commented & provided feedback 2 years ago
karma

The new build fixes the cert validation issue for me:

# rpm -qa gnutls
gnutls-3.6.13-6.fc32.x86_64
# gnutls-cli api.ipify.org
Processed 150 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '23.21.153.210:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is trusted. 
- Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM)
- Session ID: 7A:F6:D0:6D:48:15:16:62:A5:F5:E4:AE:BB:C5:10:1C:C2:50:12:F7:AF:AB:39:0B:CE:9B:07:29:02:15:2D:A2
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:

^C

Before upgrade:

# rpm -qa gnutls
gnutls-3.6.13-4.fc32.x86_64
# gnutls-cli api.ipify.org
Processed 150 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '204.236.231.159:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue
User Icon catanzaro commented & provided feedback 2 years ago

We should fix this in F31 as well.

This update has been pushed to testing.

2 years ago
User Icon xvitaly provided feedback 2 years ago
karma
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue

This update can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for stable by ueno.

2 years ago
User Icon aarem commented & provided feedback 2 years ago
karma

This works for me. Hopefully can be pushed out to updates soon because a lot of people are bound to be affected.

BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue

This update has been pushed to stable.

2 years ago
User Icon ckujau commented & provided feedback 2 years ago
karma

Hm, instead of removing the expired cert from the CA store, this update...ignores the expired certificate now?

$ gnutls-cli host:443
[...]
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', 
serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67
CYDnvprLg5yRME="
- Status: The certificate is trusted. 
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue
User Icon ueno commented & provided feedback 2 years ago

@ckujau, no, the message is just misleading. The certificate is internally dropped from the input chain, and the cross signed (non-expired) certificate is used from the system trust store. See the background of the fix: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352448705

I'll try to update the command output later.

User Icon ueno commented & provided feedback 2 years ago

@ckujau, if you are in doubt, try (temporarily) blacklisting the cross-signed "COMODO RSA Certification Authority" on the system and see if the connection fails as expected:

$ trust list # check the URL of the cross-signed certificate
$ trust dump --filter 'pkcs11:id=%BB%AF%7E%02%3D%FA%A6%F1%3C%84%8E%AD%EE%38%98%EC%D9%32%32%D4;type=cert' > comodo-rsa.p11-kit
$ sudo cp comodo-rsa.p11-kit /etc/pki/ca-trust/source/blacklist/
$ gnutls-cli host:443
[...]
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

Please login to add feedback.

Metadata
Type
bugfix
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue
-1
3

Automated Test Results