<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #777;">
<a href="https://gitlab.com/TheRealMichaelCatanzaro">Michael Catanzaro</a> created an issue <a href="https://gitlab.com/gnutls/gnutls/-/issues/1008">#1008</a>:
</p>
<div></div>
<p dir="auto"><a href="https://sectigo.com/resource-library/sectigos-addtrust-root-is-soon-to-expire-what-you-need-to-know" rel="nofollow noreferrer noopener" target="_blank">Sectigo's old AddTrust root certificate expired earlier today.</a> This was supposed to go unnoticed by users because GnuTLS should ignore the expired root and instead use a non-expired root instead, given that it has the same public key as the expired one. <a href="https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration" rel="nofollow noreferrer noopener" target="_blank">Here is a blog post I found describing today's issue.</a></p>
<p dir="auto">In practice, a lot of websites depend on this root, so it's a bit of an apocalypse for Epiphany, and we'll likely start losing users to Firefox every day until resolved. :/ Example broken websites include:</p>
<ul dir="auto">
<li>
<a href="https://easylist-downloads.adblockplus.org" rel="nofollow noreferrer noopener" target="_blank">EasyList adblock filters</a> required for adblocking in Epiphany</li>
<li><a href="https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT" rel="nofollow noreferrer noopener" target="_blank">This knowledgebase article explaining how TLS clients will handle this certificate's expiration without issue</a></li>
</ul>
<p dir="auto">We actually have <a href="https://gitlab.gnome.org/GNOME/glib-networking/-/blob/533d3a76e2cc622b072e3ec789f69e888f3fd8eb/tls/tests/connection.c#L832" rel="nofollow noreferrer noopener" target="_blank">a test in glib-networking to ensure a similar case works</a>, and the test is passing, so the test must not be good enough. I'm trying to find the issue report where GnuTLS originally added support for this case, but am having some difficulty doing so (it was a while back... 2014? 2015?). The blog post I linked to above (quite rudely) implies GnuTLS is just bad at completing chains, but I .</p>
<p dir="auto">Example gnutls-cli:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ gnutls-cli support.sectigo.com</span>
<span id="LC2" class="line" lang="plaintext">Processed 157 CA certificate(s).</span>
<span id="LC3" class="line" lang="plaintext">Resolving 'support.sectigo.com:443'...</span>
<span id="LC4" class="line" lang="plaintext">Connecting to '13.109.141.149:443'...</span>
<span id="LC5" class="line" lang="plaintext">- Certificate type: X.509</span>
<span id="LC6" class="line" lang="plaintext">- Got a certificate list of 3 certificates.</span>
<span id="LC7" class="line" lang="plaintext">- Certificate[0] info:</span>
<span id="LC8" class="line" lang="plaintext"> - subject `CN=support.sectigo.com,OU=COMODO EV SSL,OU=IT,O=Comodo CA Limited,street=3rd Floor Building 26,street=Office Village Exchange Quay,street=Trafford Road,L=Salford,ST=Manchester,postalCode=M5 3EQ,C=GB,businessCategory=Private Organization,jurisdictionOfIncorporationCountryName=GB,serialNumber=04058690', issuer `CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x6a6d5a985263e1676288c3a67c3d61d3, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-01 00:00:00 UTC', expires `2020-10-31 23:59:59 UTC', pin-sha256="ueQdDfIoPaNUMl4eyn19K6opv6brR+PQ/GCuY3hxHv0="</span>
<span id="LC9" class="line" lang="plaintext">       Public Key ID:</span>
<span id="LC10" class="line" lang="plaintext">              sha1:d819ea14af7a4a45250f3d968050fffbaf36a1c7</span>
<span id="LC11" class="line" lang="plaintext">              sha256:b9e41d0df2283da354325e1eca7d7d2baa29bfa6eb47e3d0fc60ae6378711efd</span>
<span id="LC12" class="line" lang="plaintext">      Public Key PIN:</span>
<span id="LC13" class="line" lang="plaintext">              pin-sha256:ueQdDfIoPaNUMl4eyn19K6opv6brR+PQ/GCuY3hxHv0=</span>
<span id="LC14" class="line" lang="plaintext"></span>
<span id="LC15" class="line" lang="plaintext">- Certificate[1] info:</span>
<span id="LC16" class="line" lang="plaintext"> - subject `CN=COMODO RSA Extended Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x06a74380d4ebfed435b5a3f7e16abdd8, RSA key 2048 bits, signed using RSA-SHA384, activated `2012-02-12 00:00:00 UTC', expires `2027-02-11 23:59:59 UTC', pin-sha256="Fbr/5aSOo4KRal8YE49t4lc76IOnK/oto9NWV1cSKWM="</span>
<span id="LC17" class="line" lang="plaintext">- Certificate[2] info:</span>
<span id="LC18" class="line" lang="plaintext"> - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="</span>
<span id="LC19" class="line" lang="plaintext">- Status: The certificate is NOT trusted. The certificate chain uses expired certificate. </span>
<span id="LC20" class="line" lang="plaintext">*** PKI verification of server certificate failed...</span>
<span id="LC21" class="line" lang="plaintext">*** Fatal error: Error in the certificate.</span></code></pre>
<p dir="auto">Again, the expired COMODO RSA Certification Authority root should just be ignored because there is a non-expired root with the same public key shipped by ca-certificates.</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1008">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/64721eed958d3fa23ac6a5f837a37fe0/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1008"}}</script>


</p>
</div>
</body>
</html>