stable

gnutls-3.6.13-6.fc32

FEDORA-2020-6ec1d85ab1 created by ueno 3 years ago for Fedora 32

This fixes certificate chain validation involving the expired "AddTrust External Root".

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-6ec1d85ab1

This update has been submitted for testing by ueno.

3 years ago

This update's test gating status has been changed to 'waiting'.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago
User Icon cheimes commented & provided feedback 3 years ago
karma

The new build fixes the cert validation issue for me:

# rpm -qa gnutls
gnutls-3.6.13-6.fc32.x86_64
# gnutls-cli api.ipify.org
Processed 150 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '23.21.153.210:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is trusted. 
- Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM)
- Session ID: 7A:F6:D0:6D:48:15:16:62:A5:F5:E4:AE:BB:C5:10:1C:C2:50:12:F7:AF:AB:39:0B:CE:9B:07:29:02:15:2D:A2
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:

^C

Before upgrade:

# rpm -qa gnutls
gnutls-3.6.13-4.fc32.x86_64
# gnutls-cli api.ipify.org
Processed 150 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '204.236.231.159:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue
User Icon catanzaro commented & provided feedback 3 years ago

We should fix this in F31 as well.

This update has been pushed to testing.

3 years ago
User Icon xvitaly provided feedback 3 years ago
karma
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue

This update can be pushed to stable now if the maintainer wishes

3 years ago

This update has been submitted for stable by ueno.

3 years ago
User Icon aarem commented & provided feedback 3 years ago
karma

This works for me. Hopefully can be pushed out to updates soon because a lot of people are bound to be affected.

BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue

This update has been pushed to stable.

3 years ago
User Icon ckujau commented & provided feedback 3 years ago
karma

Hm, instead of removing the expired cert from the CA store, this update...ignores the expired certificate now?

$ gnutls-cli host:443
[...]
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', 
serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67
CYDnvprLg5yRME="
- Status: The certificate is trusted.
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue
User Icon ueno commented & provided feedback 3 years ago

@ckujau, no, the message is just misleading. The certificate is internally dropped from the input chain, and the cross signed (non-expired) certificate is used from the system trust store. See the background of the fix: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352448705

I'll try to update the command output later.

User Icon ueno commented & provided feedback 3 years ago

@ckujau, if you are in doubt, try (temporarily) blacklisting the cross-signed "COMODO RSA Certification Authority" on the system and see if the connection fails as expected:

$ trust list # check the URL of the cross-signed certificate
$ trust dump --filter 'pkcs11:id=%BB%AF%7E%02%3D%FA%A6%F1%3C%84%8E%AD%EE%38%98%EC%D9%32%32%D4;type=cert' > comodo-rsa.p11-kit
$ sudo cp comodo-rsa.p11-kit /etc/pki/ca-trust/source/blacklist/
$ gnutls-cli host:443
[...]
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

Please login to add feedback.

Metadata
Type
bugfix
Karma
4
Signed
Content Type
RPM
Test Gating
Builds
1
gnutls-3.6.13-6.fc32
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
BZ#1842178 AddTrust External Root CA certificate expiration causes cert validation issue
-1
3
gnutls-3.6.13-6.fc32

Automated Test Results

Copyright © 2007-2023 Red Hat, Inc. and others.

Running bodhi-server 7.2.2^202312051737git3efe1cb on bodhi-web-120-9vzc6.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Composes Legal Privacy policy