Bug 880188
Summary: | gnutls: will not accept X.509 version 1 root CAs by default | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Florian Weimer <fweimer> |
Component: | gnutls | Assignee: | Nikos Mavrogiannopoulos <nmavrogi> |
Status: | CLOSED NEXTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3 | CC: | tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-03 12:05:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Florian Weimer
2012-11-26 13:17:17 UTC
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. I cannot verify it, as it is no longer present with www.google.com. It now uses that CA: X.509 Certificate Information: Version: 3 Serial Number (hex): 12bbe6 Issuer: C=US,O=Equifax,OU=Equifax Secure Certificate Authority Validity: Not Before: Tue May 21 04:00:00 UTC 2002 Not After: Tue Aug 21 04:00:00 UTC 2018 Subject: C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA Subject Public Key Algorithm: RSA Modulus (bits 2048): da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df:3c:6c 38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8:43:b6:03 e9:4d:21:07:08:88:da:58:2f:66:39:29:bd:05:78:8b 9d:38:e8:05:b7:6a:7e:71:a4:e6:c4:60:a6:b0:ef:80 e4:89:28:0f:9e:25:d6:ed:83:f3:ad:a6:91:c7:98:c9 42:18:35:14:9d:ad:98:46:92:2e:4f:ca:f1:87:43:c1 16:95:57:2d:50:ef:89:2d:80:7a:57:ad:f2:ee:5f:6b d2:00:8d:b9:14:f8:14:15:35:d9:c0:46:a3:7b:72:c8 91:bf:c9:55:2b:cd:d0:97:3e:9c:26:64:cc:df:ce:83 19:71:ca:4e:e6:d4:d5:7b:a9:19:cd:55:de:c8:ec:d2 5e:38:53:e5:5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb 8e:a4:39:19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1 1d:05:9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39 e2:fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32 eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07:36 84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b:e4:f9 Exponent (bits 24): 01:00:01 Extensions: Authority Key Identifier (not critical): 48e668f92bd2b295d747d82320104f3398909fd4 Subject Key Identifier (not critical): c07a98688d89fbab05640c117daa7d65b8cacc4e Basic Constraints (critical): Certificate Authority (CA): TRUE Key Usage (critical): Certificate signing. CRL signing. CRL Distribution points (not critical): URI: http://crl.geotrust.com/crls/secureca.crl Unknown extension 2.5.29.32 (not critical): ASCII: 0E0C..U. .0;09..+........-https://www.geotrust.com/resources/repository Hexdump: 304530430604551d2000303b303906082b06010505070201162d68747470733a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f7265706f7369746f7279 Signature Algorithm: RSA-SHA Signature: 76:e1:12:6e:4e:4b:16:12:86:30:06:b2:81:08:cf:f0 08:c7:c7:71:7e:66:ee:c2:ed:d4:3b:1f:ff:f0:f0:c8 4e:d6:43:38:b0:b9:30:7d:18:d0:55:83:a2:6a:cb:36 11:9c:e8:48:66:a3:6d:7f:b8:13:d4:47:fe:8b:5a:5c 73:fc:ae:d9:1b:32:19:38:ab:97:34:14:aa:96:d2:eb a3:1c:14:08:49:b6:bb:e5:91:ef:83:36:eb:1d:56:6f ca:da:bc:73:63:90:e4:7f:7b:3e:22:cb:3d:07:ed:5f 38:74:9c:e3:03:50:4e:a1:af:98:ee:61:f2:84:3f:12 Other Information: MD5 fingerprint: 2e7db2a31d0e3da4b25f49b9542a2e1a SHA-1 fingerprint: 7359755c6df9a0abc3060bce369564c8ec4542a3 Public Key Id: 6c83cc7e6744257b549c530fbd4d0478e1ffa23f -----BEGIN CERTIFICATE----- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END CERTIFICATE----- However, the problem persists with www.redhat.com. The issue seems to be: * Version 2.7.6 (released 2009-02-27) ** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5 and %VERIFY_ALLOW_X509_V1_CA_CRT. They can be used to override the default certificate chain validation behaviour. which was undid in: * Version 2.10.5 (released 2011-02-28) ** libgnutls: Reverted default behavior for verification and introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default V1 trusted CAs are allowed, unless the new flag is specified. Thus one to be able to connect to such sites in RHEL 6.x, must use: $ gnutls-cli --x509cafile /etc/pki/tls/certs/ca-bundle.crt www.redhat.com --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT Unless there is more information about that being a bug rather than the documented behaviour I'm inclined to close that as not a bug. (In reply to Nikos Mavrogiannopoulos from comment #5) > Unless there is more information about that being a bug rather than the > documented behaviour I'm inclined to close that as not a bug. Agreed, considering that no one else seems to have encountered this problem. |