486725 – ntop: Ships with expired x509 cerificate

Bug 486725 - ntop: Ships with expired x509 cerificate

Summary: ntop: Ships with expired x509 cerificate

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ntop
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Rakesh Pandit
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	public=20090220,reported=20090220,sou...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-21 13:29 UTC by Jan Lieskovsky
Modified:	2009-03-17 09:12 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-03-06 06:51:05 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2009-02-21 13:29:02 UTC

The x509 certificate as shipped with ntop is a network traffic probe 
has already expired. Please remove it or extend its validity.

Relevant file:
/etc/ntop/ntop-cert.pem

Comment 1 Jan Lieskovsky 2009-02-21 13:30:53 UTC

# openssl verify /etc/ntop/ntop-cert.pem
/etc/ntop/ntop-cert.pem: /C=IT/ST=Pisa/O=ntop.org/CN=Luca Deri/emailAddress=deri
error 18 at 0 depth lookup:self signed certificate
/C=IT/ST=Pisa/O=ntop.org/CN=Luca Deri/emailAddress=deri
error 10 at 0 depth lookup:certificate has expired
OK

or
# openssl x509 -in /etc/ntop/ntop-cert.pem -text | head -10
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IT, ST=Pisa, O=ntop.org, CN=Luca Deri/emailAddress=deri
        Validity
            Not Before: Dec 23 16:58:34 2001 GMT
            Not After : Dec 23 16:58:34 2002 GMT
        Subject: C=IT, ST=Pisa, O=ntop.org, CN=Luca Deri/emailAddress=deri

Comment 2 Jan Lieskovsky 2009-02-21 13:32:15 UTC

This issue affects the versions of the ntop package, as shipped with 
Fedora release of 9, 10 and devel and Red Hat HPC Solution v5.

Comment 3 Tomas Hoger 2009-02-23 09:06:56 UTC

This is fairly sloppy packaging, but how is this a security vulnerability?  If someone wants to use https connection to ntop's web server, they'd notice immediately.

However, it seems that ntop should generate ntop-cert.pem upon installation (see postinstall in mod_ssl for example), instead of shipping some pre-packaged keys / certificates.

Comment 4 Fedora Update System 2009-03-03 09:48:27 UTC

ntop-3.3.8-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ntop-3.3.8-2.fc10

Comment 5 Tomas Hoger 2009-03-03 09:56:57 UTC

Moving to Fedora / ntop, as I'm not convinced this should be treated as security vulnerability fix.

Comment 6 Fedora Update System 2009-03-03 15:25:25 UTC

ntop-3.3.8-2.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ntop'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2253

Comment 7 Rakesh Pandit 2009-03-06 06:51:05 UTC

It seems this has been fixed and will be available soon. If problem persist reopen.

Comment 8 Fedora Update System 2009-03-17 09:12:01 UTC

ntop-3.3.8-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ntop-3.3.8-3.fc10

Note You need to log in before you can comment on or make changes to this bug.