Bug 1842178

Summary:	AddTrust External Root CA certificate expiration causes cert validation issue
Product:	[Fedora] Fedora	Reporter:	Christian Heimes <cheimes>
Component:	gnutls	Assignee:	Anderson Sasaki <ansasaki>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	32	CC:	ansasaki, brian, crypto-team, dueno, luca, mcatanza, nmavrogi, pemensik, redhat, tmraz
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	gnutls-3.6.13-6.fc32	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-06-02 03:53:35 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Christian Heimes 2020-05-30 19:37:10 UTC

This bug was initially created as a copy of Bug #1842174

I am copying this bug because: 

The problem also affects GnuTLS gnutls-3.6.13-2.fc32.x86_64

$ gnutls-cli api.ipify.org
Processed 152 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '174.129.223.190:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.



Description of problem:
The "AddTrust External Root" CA certificate has expired today. There is an alternative chain to another root CA. However OpenSSL 1.0.2 fails to verify the chain if the expired root CA cert is in the trust store.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root


Version-Release number of selected component (if applicable):
ca-certificates-2019.2.32-76.el7_7.noarch
openssl-1.0.2k-19.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1. openssl s_client -connect api.ipify.org:443

Actual results:
# openssl s_client -connect api.ipify.org:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.ipify.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgIRAJIP0bf+S4iutu1asMNsVmgwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTgwMTI0MDAwMDAwWhcNMjEwMTIzMjM1OTU5WjBYMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
bGRjYXJkMRQwEgYDVQQDDAsqLmlwaWZ5Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMCdCYpCtwGoVFah51Gy/ZrgPmk8s2JTBMZlnKGnLKP7r1SC
feRHgmcGYiAMtXwfFWnA3ZGQ6L9Gm00T1G0K/FpS2POxtDNfRWLiOFS80hW0UnXr
XCvnyHVK0+pXs/3CuOqj8iSnMPdZsly/dhIt0zaWM8zRB8789RIr+zRmlFuXzJQT
Yvul/SKVPZ8gW6HwblTAWL+xZ5KRof8yiokR2WZtl21NQ+Ox9/JnpNMPlCTgHeKR
XhAR1zEg2Hn1FGshS5ypAa0O+8QgsheKzYWdq4bcEJRcYMXQg0S6eBB8GLsj1tqO
KVYmk1S9lcbS4vjzBGh5rhER6IuMTqstChP8WncCAwEAAaOCAdMwggHPMB8GA1Ud
IwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBQcEDPSTQdru56u
AXGhYiQn+yPvczAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQIC
BzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAI
BgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCB
hQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2Nh
LmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIQYDVR0RBBow
GIILKi5pcGlmeS5vcmeCCWlwaWZ5Lm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAjPOZ
Mqwt7PZErXI5LXmGM2VfScatgpfZncJYRBgbKjtrI2HBt7446pjHXqzpImxC8rGj
s3AS15vxIz11ERiHqCskEQbg/0AYKJ1TNr5KrL/K8RY9vtGL1WDQCxMqSZcocvYr
YIVam8YkTitO9+xD0K0Icyvgans60Z4nkWJG+ZqRZgNi6TDbfBHWeSiTOc2q4MxI
lFXfP8/nyE2Jz/SO2JPatL05Q3VVJBOHtdpm070tZpIWFYXo9fV7xzHHx4WLHdHm
/ajStwWJoAGPWFUdmG+xoBqzuhADJRGA9L8DjLleBb6mIM39wKvQqgBSTvZlSiUv
4HUHfqpgGH4HX+1Sag==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.ipify.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5903 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: E46B7A3821D8EE745867787C2AE6E319EFCE2886B973C508EFECA8C1B005870D
    Session-ID-ctx: 
    Master-Key: FFE6F29827EF514A72B117FE0B326496F33B9E9B7F2513A16AFC713711F0F14FC6155DB7E3BA97A094A6977456050B94
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1590865338
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---


Expected results:
    Verify return code: 0 (ok)


Additional info:
Ryan Sleevi (https://twitter.com/sleevi_/status/1266647545675210753) and Hynek Schlawack (https://twitter.com/hynek/status/1266713203372933121) made me aware of the issue. Ryan's thread on Twitter contains more information on the issue.

Workaround:
Blacklisting the certificate solves the issue for me on RHEL 7.9:

# trust dump --filter "pkcs11:id=%AD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1A;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
# update-ca-trust extract
# trust list | grep -C2 "AddTrust External"
p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit
pkcs11:id=%ad%bd%98%7a%34%b4%26%f7%fa%c4%26%54%ef%03%bd%e0%24%cb%54%1a;type=cert
    type: certificate
    label: AddTrust External Root
    trust: blacklisted
    category: authority

# openssl s_client -connect api.ipify.org:443 | grep "Verify return code"
    Verify return code: 0 (ok)

Comment 1 Fedora Update System 2020-05-31 14:32:23 UTC

FEDORA-2020-6ec1d85ab1 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6ec1d85ab1

Comment 2 Christian Heimes 2020-05-31 14:43:56 UTC

The new build with patch https://src.fedoraproject.org/rpms/gnutls/blob/master/f/gnutls-3.6.13-superseding-chain.patch fixes the cert validation issue for me:

```
# rpm -qa gnutls
gnutls-3.6.13-6.fc32.x86_64
# gnutls-cli api.ipify.org
Processed 150 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '23.21.153.210:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is trusted. 
- Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM)
- Session ID: 7A:F6:D0:6D:48:15:16:62:A5:F5:E4:AE:BB:C5:10:1C:C2:50:12:F7:AF:AB:39:0B:CE:9B:07:29:02:15:2D:A2
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:

^C
```

Before upgrade:

```
# rpm -qa gnutls
gnutls-3.6.13-4.fc32.x86_64
# gnutls-cli api.ipify.org
Processed 150 CA certificate(s).
Resolving 'api.ipify.org:443'...
Connecting to '204.236.231.159:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44="
        Public Key ID:
                sha1:8e05c08fb342748ee63ac348448821bc628b8150
                sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e
        Public Key PIN:
                pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=

- Certificate[1] info:
 - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Certificate[3] info:
 - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
```

Comment 3 Fedora Update System 2020-06-01 03:12:38 UTC

FEDORA-2020-6ec1d85ab1 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6ec1d85ab1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6ec1d85ab1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2020-06-02 03:53:35 UTC

FEDORA-2020-6ec1d85ab1 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 5 Anderson Sasaki 2020-07-07 07:41:20 UTC

*** Bug 1850512 has been marked as a duplicate of this bug. ***