Bug#911289: ca-certificates should remove Symantec certs

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#911289: ca-certificates should remove Symantec certs

Hanno Böck-4
Package: ca-certificates
Version: 20180409

I think most people are aware that browser vendors agreed to distrust
certificates by Symantec and they no longer issue certificates (their
business got sold to Digicert).

This should also be reflected in the ca-certificates package and the
Symantec roots should be removed (particularly as this package is
acting as a de-facto upstream for several other distros).

This needs some checking which certificates exactly shall be removed.
Symantec operated under various different brand names (Thawte, Geotrust,
and they also owned the old Verisign roots), and some of their roots
have changed the owner and are excluded from the distrust.

Reply | Threaded
Open this post in threaded view
|

Bug#911289: ca-certificates should remove Symantec certs

Michael Shuler-5
Thanks, I'll take a look. From memory, I recall this was a "certificates
after X date" logic in NSS, but the CAs are still in certdata.txt.

--
Kind regards,
Michael

Reply | Threaded
Open this post in threaded view
|

Bug#911289: ca-certificates: Symantec cert still included in Debian

Sam Morris
In reply to this post by Hanno Böck-4
Package: ca-certificates
Followup-For: Bug #911289

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm trying to find a list of the distrusted certificates and it's not
easy... going by [0], the last entry on the list is:

    CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
    23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

Which is still included in ca-certificates!

    $ openssl x509 -noout -fingerprint -sha256 -in /usr/share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
    SHA256 Fingerprint=23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

[0] https://blogs.oracle.com/java-platform-group/jdk-distrusting-symantec-tls-certificates

- -- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (550, 'stable-updates'), (550, 'stable-debug'), (550, 'stable'), (530, 'testing-debug'), (530, 'testing'), (520, 'unstable-debug'), (520, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64

Kernel: Linux 5.3.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.71
ii  openssl                1.1.1d-0+deb10u2

ca-certificates recommends no packages.

ca-certificates suggests no packages.

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEyqqqGsppqDqJKxhV0gtCAlzaJ7kFAl3vg8QSHHNhbUByb2Jv
dHMub3JnLnVrAAoJENILQgJc2ie5HjMQAJOAR8+8c4KbzWTChJSKQ9fVJPrDrEqi
bGVQ/tceYqSDTWE/2DAp+9kBMPQzE6bFJVUXo2V/P08impNG87OxwscYdFARa5O2
F1/16Vag9sg9U+sCNEO9a0UwQCZsXAYM6ctapB/teVOyNjbNqeDBcLFlg+NhGtK7
W7jgFTC8W2wQJTjlV+ASwuMncuVImGQJm9vQpa0SnBInVVLt5MPwgk95FRlDBEVs
UBIL2IcGWrpYc8AgxaYyb9jqnsRXedcESk58q+NdPwFTQo+F6260Hh/EHhA0IV/q
1acoscdRFVEGQZwC1gSQvLYUhN8dHNqNmtwdLGzbxUGWSQ/0h4LHunmBUlDdZOOp
szV/aVb31BJa0es8mfL/tVqX92C9jfOM9FSrqTMwFtPyJIj7dljkmTk/2CcD9OlJ
Z52yQwyvdag+r6LNR0KsBy3G6mZpLkfEGEXEriv2THps5l0r6cUz7M7AWJIL6GqZ
tJ8S91Z7gEJqmqUA+ZHt+IgEsPEJijIkvs6EnDJdEUtdd+FUd7y7yb34j049zD8G
pfjtWAZ0VzOi+BUj6TCdpek8StL4pZZptunnsEjkWnqJXv/3DFAKNKyKYPbUtXQV
WBGvkWqIro/SDSXluEo7aM9jx/aaFOIJMiRW519O+MQxr1m9IUJd6sbk0hS9LfhV
HUVa7NG9ys5d
=zke0
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Bug#911289: ca-certificates: How to handle certificates distrusted in gecko?

Sam Morris
In reply to this post by Hanno Böck-4
Package: ca-certificates
Followup-For: Bug #911289

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I think this comment[0] leads me to the place where the Symantec
distrust is implemented. And it's not in NSS itself, but in browsers
themselves [1, 2].

I don't know where this leaves ca-certficiates. For the time being, the
certificates blacklisted by browsers can be blacklisted in
ca-certificates itself. But in general a simple whitelist of trusted
certificate authorities is no longer sufficient.  For instance, NSS has
the ability[3] to distrust a CA certificate after a particular date.
This simply isn't possible to represent in ca-certificates' whitelist.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1456112#c5
[1] https://github.com/mozilla/gecko-dev/blob/e070fba60fae8411f1f2e2f50bb22d5b86e71679/security/certverifier/NSSCertDBTrustDomain.cpp#L1174
[2] https://github.com/chromium/chromium/blob/2ca8c5037021c9d2ecc00b787d58a31ed8fc8bcb/net/http/transport_security_state_ct_policies.inc#L39
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1465613

- -- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (550, 'stable-updates'), (550, 'stable-debug'), (550, 'stable'), (530, 'testing-debug'), (530, 'testing'), (520, 'unstable-debug'), (520, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64

Kernel: Linux 5.3.0-2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.71
ii  openssl                1.1.1d-0+deb10u2

ca-certificates recommends no packages.

ca-certificates suggests no packages.

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEyqqqGsppqDqJKxhV0gtCAlzaJ7kFAl3vlhsSHHNhbUByb2Jv
dHMub3JnLnVrAAoJENILQgJc2ie5nnsP/1CCKb9Ke+EXtp3oveLgQSJ2OWUwLXwY
bWbbegoH8rMcKn8gz8AA6DVb/uoB3cSFV2qUbP+MvTW70AVoR1W6sxobY8vJSKBJ
in3kTX3IpAsKG0BYh00Gn3a9zl2xGH+qd5Lc1Y4EhCkB/LdK2HBzqccCuGxyQIgb
5ZgGoDwRDA/Wwro5XSb1nq4uuP4RgsTm4hY1QUHWwKzqIIhofsAHlXG7CAINO7RA
w6t7eBn1BTDQVehWBLfbP1ec70uyuoEevOppxzQUnj/cFc9vWeExLHW3uD1I5dt9
x5Ee+dgPxtENRokXzDOj1r9f9CIzI3fdZR2nzf07puiX0YnwyDYenJKQYrLjAVhr
RXbAc5D6GavQFtYKqZhvuYDCLJ4NTphbd0JDps+3JQBPlbtoigP6uSztPGDh1cEc
EhMIwRGzrwbgvbVHGTtFU1rLnVQzBRk6c0N+8rMXISVCvRlJ6pWoq8T4v5iSegv5
xhZxHF6EAn4jdgXF/Fr0qlwXMPVC/pmpAj7LYGC/aXDXIHu5pmZHnAE0Hix951Ug
ty2xXTx+VFJS6L7KiTbhQoIN0L7lyQAMWl2HsSIE71JLpaohDV5v1CvmNMrjKCzF
EopXiuKkUB1zU+9PFfME5ufdfc7Ab25RzKPw9yz8MpIB7zAi7I2Cx+wCah74+aIz
zDpt+qpHLoaC
=gFUD
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Bug#911289: Tagging Pending Bugs

Michael Shuler-5
In reply to this post by Hanno Böck-4
tags 911289 + pending
tags 955038 + pending
tags 956411 + pending
tags 961907 + pending
thanks

This commit on master is good to go to fix the above bugs in unstable -
marking them pending:

commit b3a8980b781bc9a370e42714a605cd4191bb6c0b
Commit:     Michael Shuler <[hidden email]>
CommitDate: Mon Jun 1 14:38:12 2020 -0500

     Fix typo on AddTrust CN
----

Looking at stable, oldstable builds using the same commit, next. Likely
standards/compat need downgrading, but should work ok as-is otherwise.

CCing Thijs and a few others directly for upload, or I can go the
mentors route. Thank you, sponsor!

--
Kind regards,
Michael