On Sun, 24 Mar 2013 18:33:54 -0400, Daniel Kahn Gillmor wrote:
In X.509, ...
Thank you for the mini-tutorial on terminology. The certificates I am
concerned about in this bug are "regular EE certificates."
Using MD5 for X.509 signatures of intermediate
CAs and EE certificates has been a bad idea for years
Agreed.
So: if you're operating a certificate authority, you really need to
ensure that all of the certificates are at least as strong as SHA-1.
I agree that the certificate in question shouldn't have contained an MD5
digest. That is now fixed as stated above. I checked everything else
signed by the CA and it is all SHA-1. Even the CA certificate's own
digest was SHA-1.
If you ask Icedove to connect to a server like this, it will provide a
message like "Certificate is not trusted, because it hasn't been
verified by a trusted authority using a secure signature" or "The
certificate was signed using a signature algorithm that is disabled
because it is not secure."
If Icedove's behavior were as you just described, this bug probably
would not have been filed. With libnss3 2:3.13.6-2, the EE certificate
with MD5 was accepted and Icedove performed all its functions. But with
libnss3 2:3.14.3-1, on my system Icedove did not complete the connection
(it "hung") and issued no message. I observed the same message in the
server log as the original poster described in message #10, repeated
here for convenience:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
When I looked up this error message, I found the following:
"SSL peer cannot verify your certificate. The remote system has received
a certificate from the local system, and has rejected it for some reason."
So maybe the bug is in Icedove: it failed to handle this error condition
in a way an end user might comprehend. No user should need to look in
the server log to find out why his email user agent isn't responding
when trying to retrieve mail.
Thanks for all your comments. They have helped improve my understanding
of this bug.
Cheers,
Phil
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
