[gnutls-devel] GnuTLS | Handle expiration of AddTrust root certificate (#1008)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sun May 31 00:08:46 CEST 2020 


Michael Catanzaro created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1008



[Sectigo's old AddTrust root certificate expired earlier today.](https://sectigo.com/resource-library/sectigos-addtrust-root-is-soon-to-expire-what-you-need-to-know) This was supposed to go unnoticed by users because GnuTLS should ignore the expired root and instead use a non-expired root instead, given that it has the same public key as the expired one. [Here is a blog post I found describing today's issue.](https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration)

In practice, a lot of websites depend on this root, so it's a bit of an apocalypse for Epiphany, and we'll likely start losing users to Firefox every day until resolved. :/ Example broken websites include:

 * [EasyList adblock filters](https://easylist-downloads.adblockplus.org) required for adblocking in Epiphany
 * [This knowledgebase article explaining how TLS clients will handle this certificate's expiration without issue](https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT)

We actually have [a test in glib-networking to ensure a similar case works](https://gitlab.gnome.org/GNOME/glib-networking/-/blob/533d3a76e2cc622b072e3ec789f69e888f3fd8eb/tls/tests/connection.c#L832), and the test is passing, so the test must not be good enough. I'm trying to find the issue report where GnuTLS originally added support for this case, but am having some difficulty doing so (it was a while back... 2014? 2015?). The blog post I linked to above (quite rudely) implies GnuTLS is just bad at completing chains, but I .

Example gnutls-cli:

```
$ gnutls-cli support.sectigo.com
Processed 157 CA certificate(s).
Resolving 'support.sectigo.com:443'...
Connecting to '13.109.141.149:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=support.sectigo.com,OU=COMODO EV SSL,OU=IT,O=Comodo CA Limited,street=3rd Floor Building 26,street=Office Village Exchange Quay,street=Trafford Road,L=Salford,ST=Manchester,postalCode=M5 3EQ,C=GB,businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=GB,serialNumber=04058690', issuer `CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x6a6d5a985263e1676288c3a67c3d61d3, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-01 00:00:00 UTC', expires `2020-10-31 23:59:59 UTC', pin-sha256="ueQdDfIoPaNUMl4eyn19K6opv6brR+PQ/GCuY3hxHv0="
	Public Key ID:
		sha1:d819ea14af7a4a45250f3d968050fffbaf36a1c7
		sha256:b9e41d0df2283da354325e1eca7d7d2baa29bfa6eb47e3d0fc60ae6378711efd
	Public Key PIN:
		pin-sha256:ueQdDfIoPaNUMl4eyn19K6opv6brR+PQ/GCuY3hxHv0=

- Certificate[1] info:
 - subject `CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x06a74380d4ebfed435b5a3f7e16abdd8, RSA key 2048 bits, signed using RSA-SHA384, activated `2012-02-12 00:00:00 UTC', expires `2027-02-11 23:59:59 UTC', pin-sha256="Fbr/5aSOo4KRal8YE49t4lc76IOnK/oto9NWV1cSKWM="
- Certificate[2] info:
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
```

Again, the expired COMODO RSA Certification Authority root should just be ignored because there is a non-expired root with the same public key shipped by ca-certificates.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1008
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200530/5ead07ac/attachment.html>

More information about the Gnutls-devel mailing list