Skip Menu |
 

This queue is for tickets about the Mozilla-CA CPAN distribution.

Report information
The Basics
Id: 101908
Status: open
Priority: 0/
Queue: Mozilla-CA

People
Owner: Nobody in particular
Requestors: DAKKAR [...] cpan.org
ether [...] cpan.org
JIRA [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: 20141217
Fixed in: (no value)



Subject: A Verisign CA certificate was dropped, but is still in use in the wild
Download (untitled) / with headers
text/plain 1.7k
Hello. In release 20141217, the certificate "Verisign Class 3 Public Primary Certification Authority" disappeared. That certificate is still listed as essentially valid on https://www.symantec.com/page.jsp?id=roots (formerly https://www.verisign.com/support/roots.html ): Description: This root CA is the root used for Secure Site Pro Certificates, Premium SSL Certificates and Code Signing Certificates. It is intended to be the primary root used for these products until Q4 2010 when VeriSign transitions to using a 2048 bit root. After that transition this CA will be used as part of a cross certification to ensure legacy applications continue to trust VeriSign certificates and must continue to be included in root stores by vendors. This root is expected to be used in this way at least until 12/31/2013 and vendors should not plan on removing support for this root until officially advised that the root is no longer needed to support certificates or CRL validation. But looking at the http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt (Mozilla "release" source), that certificate is marked as "MUST_VERIFY_TRUST" instead of "TRUSTED_DELEGATOR", which of course makes the mk-ca-bundle.pl script skip it Problem is, many places still use certificates signed by that, and those certificates are not going to expire for quite some time (the server that prompted this investigation, onlinetools.ups.com, has a certificate that will expire at the end of 2016). I'm not sure what the solution should be, and I'm going to publish a new release of Net::UPS that suggests using a different certificate store, but other people may get bitten by the same problem, so I thought I'd give you a heads-up.
Subject: Re: [rt.cpan.org #101908] A Verisign CA certificate was dropped, but is still in use in the wild
Date: Tue, 3 Feb 2015 16:21:58 +0000
To: bug-Mozilla-CA [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
Download (untitled) / with headers
text/plain 177b
Can you bring it up with the Mozilla people? It seems more appropriate that they should fix it — or maybe we are misinterpreting the flags and should be including this cert?
Subject: Re: [rt.cpan.org #101908] A Verisign CA certificate was dropped, but is still in use in the wild
Date: Tue, 3 Feb 2015 16:53:51 +0000
To: "ask [...] perl.org via RT" <bug-Mozilla-CA [...] rt.cpan.org>
From: Gianni Ceccarelli <dakkar [...] thenautilus.net>
Download (untitled) / with headers
text/plain 685b
On 2015-02-03 "ask@perl.org via RT" <bug-Mozilla-CA@rt.cpan.org> wrote: Show quoted text
> Can you bring it up with the Mozilla people? It seems more > appropriate that they should fix it — or maybe we are misinterpreting > the flags and should be including this cert?
That's the part where I say "I don't know what the correct solution is" :( If I understand correctly what Firefox tells me when I ask it details on the certificate of the onlinetoos.ups.com server (and I may be very wrong here), Firefox cuts the validation short one level, so it does not need the root certificate, because it trusts one of the intermediate ones. But I know very little of SSL/PKI, it's all a bit over my head.
Download (untitled)
application/pgp-signature 181b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 951b
On Tue Feb 03 11:54:05 2015, dakkar@thenautilus.net wrote: Show quoted text
> On 2015-02-03 "ask@perl.org via RT" <bug-Mozilla-CA@rt.cpan.org> wrote:
> > Can you bring it up with the Mozilla people? It seems more > > appropriate that they should fix it — or maybe we are misinterpreting > > the flags and should be including this cert?
> > That's the part where I say "I don't know what the correct solution > is" :( > > If I understand correctly what Firefox tells me when I ask it details > on the certificate of the onlinetoos.ups.com server (and I may be very > wrong here), Firefox cuts the validation short one level, so it does > not need the root certificate, because it trusts one of the > intermediate ones. > > But I know very little of SSL/PKI, it's all a bit over my head.
I have a small test which demonstrates the problem here https://github.com/gisle/mozilla-ca/pull/5 Thought it would be helpful to link the Github issue and this discussion.
Download (untitled) / with headers
text/plain 184b
Another effect of dropping that certificate: http://blogs.perl.org/users/byterock/2015/03/ca-ssl-https-heck.html Part of AWS has certificates signed with Verisign's "G3" certificate.
RT-Send-CC: dakkar [...] thenautilus.net, ask [...] perl.org
Download (untitled) / with headers
text/plain 305b
We are seeing this issue in our codebase and it is a serious problem. The initial temporary workaround is to backrev the module to the 20130114 version so that our test suite will pass. I suspect we will have to include the missing certificate ourselves as a more permanent fix which is less than ideal.
Subject: Re: [rt.cpan.org #101908] A Verisign CA certificate was dropped, but is still in use in the wild
Date: Tue, 14 Apr 2015 08:44:48 -0700
To: bug-Mozilla-CA [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
Download (untitled) / with headers
text/plain 310b
Show quoted text
> On Apr 14, 2015, at 1:53, Sue Spence via RT <bug-Mozilla-CA@rt.cpan.org> wrote: > > We are seeing this issue in our codebase and it is a serious problem.
Hi Sue, Your SSL library isn’t processing the trust chain appropriately. See https://github.com/gisle/mozilla-ca/pull/5#issuecomment-90425221 Ask
Download (untitled) / with headers
text/plain 990b
I've run into this issue a few times with different hosts and a few different CAs. The issue of CA trust chains breaking has been increasing over the past year or two. Unfortunately, there is no central root-server-like repository to define a global trust bundle, so we've decided to default one that comes from a popular browser. However, with the failures I've experienced, the Mozilla CA bundle is no longer reliable, from my POV, at least not by itself. I've tried Chrome's set (even considered a Chrome::CA module), but that has gaps, too. I'm going to try a set from CloudFlare to see if that provides the coverage we need: https://github.com/cloudflare/cfssl_trust But, this is just guesswork and poking around to see what fits. Why should CloudFlare be the central authority on this? They were just somebody who decided to combine a bunch of these sets together and release it on Github. Anyway, anybody having these issues should try that bundle out and see if that fits.
Le 2015-02-03 16:33:26, DAKKAR a écrit :
Show quoted text
> Hello.
>
> In release 20141217, the certificate "Verisign Class 3 Public Primary
> Certification Authority" disappeared. That certificate is still listed
> as essentially valid on https://www.symantec.com/page.jsp?id=roots
> (formerly https://www.verisign.com/support/roots.html ):

Please update if this issue is still relevant with release 20160104.


-- 
Olivier Mengué - http://perlresume.org/DOLMEN


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.