Distrust "DST Root CA X3"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates (Debian) |
Fix Released
|
Unknown
|
|||
ca-certificates (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Focal |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Hirsute |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Impish |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry.
* One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https:/
* This is similar to how this was handled for AddTrust before
"* mozilla/
[Test Plan]
* Install old/current ca-certificates faketime wget curl libcurl3-gnutls
# faketime 2021-10-01 wget https:/
--2021-10-01 00:00:00-- https:/
Resolving pskov.surgut.co.uk (pskov.
Connecting to pskov.surgut.co.uk (pskov.
ERROR: cannot verify pskov.surgut.
Issued certificate has expired.
To connect to pskov.surgut.co.uk insecurely, use `--no-check-
# LD_PRELOAD=
% Total % Received % Xferd Average Speed Time Time Time Current
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
* Install new ca-certificates package
# faketime 2021-10-01 wget https:/
--2021-10-01 00:00:00-- https:/
Resolving pskov.surgut.co.uk (pskov.
Connecting to pskov.surgut.co.uk (pskov.
HTTP request sent, awaiting response... 200 OK
Length: 612 [text/html]
Saving to: 'index.html.3'
100%[==
2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]
LD_PRELOAD=
% Total % Received % Xferd Average Speed Time Time Time Current
100 612 100 612 0 0 5794 0 --:--:-- --:--:-- --:--:-- 5828
Download is successful.
[Where problems could occur]
* Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs.
[Other Info]
* Related openssl and gnutls28 bugs are https:/
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
information type: | Private Security → Public Security |
Changed in ca-certificates (Ubuntu Bionic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in ca-certificates (Ubuntu Focal): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in ca-certificates (Ubuntu Hirsute): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in ca-certificates (Ubuntu Impish): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
tags: | added: patch |
Changed in ca-certificates (Ubuntu Impish): | |
status: | New → Fix Committed |
Changed in ca-certificates (Ubuntu Trusty): | |
status: | New → Fix Released |
Changed in ca-certificates (Ubuntu Xenial): | |
status: | New → Fix Released |
information type: | Public Security → Private Security |
information type: | Private Security → Public |
information type: | Public → Public Security |
no longer affects: | ca-certificates (Fluxbuntu) |
Changed in ca-certificates (Debian): | |
status: | Unknown → Fix Released |
This bug was fixed in the package ca-certificates - 20210119~20.04.2
---------------
ca-certificates (20210119~20.04.2) focal-security; urgency=medium
[ Dimitri John Ledkov ] blacklist. txt: blacklist expired "DST Root CA X3".
* mozilla/
(LP: #1944481)
-- Marc Deslauriers <email address hidden> Wed, 22 Sep 2021 07:46:54 -0400