RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1840767 - AddTrust External CA Root Expiring May 30, 2020
Summary: AddTrust External CA Root Expiring May 30, 2020
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl
Version: 7.9
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 1840928 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-27 14:56 UTC by Evan Stuart
Modified: 2023-10-06 20:17 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-27 16:46:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Evan Stuart 2020-05-27 14:56:58 UTC 
Description of problem:

source: https://www.cmu.edu/iso/service/cert-auth/addtrust.html

Sectigo's legacy AddTrust External CA Root certificate expires on May 30, 2020. Modern clients should largely be unaffected. However, legacy clients, OpenSSL based clients, OpenLDAP clients, and clients configured to explicitly trust the AddTrust root instead of relying on an operating system or vendor managed truststore may need client or server reconfiguration to avoid loss of service.

Devices that received security updates after mid 2015 should have the modern USERTrust RSA Certification Authority root certificate (valid until Jan 2038) in their operating system or browser truststores and largely be unaffected.

Legacy devices that have not received updates to support newer roots will inevitably be missing other essential security updates and support for standards required by the modern Internet. We strongly encourage decommissioning these devices if their software cannot be upgraded. Non-upgraded, legacy devices should never be exposed to the Internet and special mitigations should be applied to isolate them from neighbor systems.

Client software based on OpenSSL prior to version 1.1.1 appear to have broken certificate path validation logic and require workarounds.

OpenLDAP clients on some platforms appear to have broken certificate path validation logic and require workarounds.

Clients configured to explicitly trust the AddTrust root may need client reconfiguration to either: 1) rely on operating system or vendor managed truststores or 2) explicitly trust the USERTrust RSA Certification Authority root or the alternative legacy AAA Certificate Services root (valid until Dec 2028).




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

Client software that use OpenSSL libraries prior to version 1.1.1 for certificate path validation appear to always validate the full Trust Chain A sent from the server even though modern roots were configured to validate Trust Chain B.

This unfortunate behavior was observed on Red Hat Enterprise Linux 6 (OpenSSL 1.0.1e-fips) and 7 (OpenSSL 1.0.2k-fips). On our test devices, advancing the clock past June 1, 2020 and attempting connections to servers that sent Trust Chain A resulted in failed connections. In these tests, OpenSSL returned expired certificate errors even though Trust Chain B's root was available in the truststores. This behavior appears to be fixed in Red Hat Enterprise Linux 8 (OpenSSL 1.1.1c FIPS) and Ubuntu 14.04 (OpenSSL 1.1.1) as the same clock advancing tests resulted in successful connections and OpenSSL validating properly to Trust Chain B's root.

To workaround this unfortunate behavior, configure the server to send Trust Chain B or Trust Chain C and configure the clients to use the operating system managed truststore or explicitly trust either the USERTrust RSA Certification Authority root or AAA Certificate Services root (depending on what the server sends).

Examples of client programs that use OpenSSL for certificate path validation and were tested include OpenLDAP and postfix.


Expected results:


Additional info:
Comment 7 Simo Sorce 2020-05-27 16:45:25 UTC 
Evan,
I do not think changing trust store CA certificates will have any effect on what a server sends to the clients.
What the server send is usually store in a certificate file and certificate chain files that are separate from the system trust store.

I agree with Tomáŝ that this bug was opened way too late to provide a fix in time to avoid the issue, a software fix should have been requested 6 months ago for an issue like this.

The blog post that explain how to fix servers is the only thing we can reasonably do to help.

I am going to close this bug as CANTFIX, please follow up via email if you want to collaborate on a blog post.

HTH,
Simo.
Comment 8 Tomas Mraz 2020-05-28 06:52:08 UTC 
*** Bug 1840928 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.