Launchpad has imported 9 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=733032.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2011-08-24T14:30:42+00:00 Philip wrote: Description of problem: This certificate is missing. "/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA" Version-Release number of selected component (if applicable): ca-certificates-2011.70-2.fc15.noarch How reproducible: Always Steps to Reproduce: 1. wget https://secure.vonage.com/ Actual results: wget returns error because of missing certificate. Expected results: Additional info: Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/0 ------------------------------------------------------------------------ On 2011-11-04T23:20:31+00:00 Brad wrote: I believe The actual problem is *not* the lack of the intermediate certificate "CN=VeriSign Class 3 Extended Validation SSL SGC CA", it is in fact that a root certificate Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Serial: 70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf was present in ca-certificates 2010.63-3, but missing in the recently released ca-certificates-2011.78-1.fc14.noarch. The missing CA certificate is still valid according to VeriSign and Mozilla. This is a bit confusing, although the root certificate is valid, VeriSign stopped using it for signing in 5/2009, replacing it with another certificate with the same subject and keyid, but a different serial number (3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be), as part of their move away from MD2 signatures. My workaround: Add the dropped certificate manually back into /etc/pki/tls/certs/ca-bundle.crt I notice that big sites such as vonage, paypal, optionsxpress still deliver certificates whose trust is ultimately established by the now missing root certificate. Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/1 ------------------------------------------------------------------------ On 2011-11-04T23:26:04+00:00 Brad wrote: Created attachment 531861 The missing certificate Appending this root certificate to /etc/pki/tls/certs/ca-bundle.crt restores validation of the sites mentioned herein. But it's never a good idea to trust root CA's from strangers. So consider this as posted just for reference. :) Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/2 ------------------------------------------------------------------------ On 2011-11-07T13:49:13+00:00 Joe wrote: The list of trusted CAs is inherited from upstream (Mozilla) and we are not going to change it ourselves within Fedora - sorry. Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/3 ------------------------------------------------------------------------ On 2011-11-07T17:40:35+00:00 Brad wrote: (In reply to comment #3) > The list of trusted CAs is inherited from upstream (Mozilla) and we are not > going to change it ourselves within Fedora - sorry. Just a few more notes. Both the SH1 and MD2 certificates *do* appear to be included in Mozilla's certdata.txt r1.78 (at lines 1010 and 17805), yet the MD2 certficate is not in ca-bundle.crt in package ca-certificates. I believe the bug is in certdata2pem.py, which does not handle the case where two certificates have the same CKA_LABEL (as is the case in certdata.txt r1.78), since it tries to output both certificates to the same file (one overwrites the other). I'll add for the google that the Class 3 certificate is not the only one that gets dropped from ca-bundle.pem by the certdata2pem.py script. "Verisign Class 1 Public Primary Certification Authority" also appears as the label of two different certs (same underlying key, signed in two different ways). Regards, Brad Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/4 ------------------------------------------------------------------------ On 2011-11-09T22:39:36+00:00 Joe wrote: Ah, good catch Brad, thanks for checking! Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/5 ------------------------------------------------------------------------ On 2011-11-15T18:35:36+00:00 Brad wrote: Created attachment 533817 For your review, I'd propose this patch to fix this. Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/6 ------------------------------------------------------------------------ On 2011-11-15T18:43:09+00:00 Brad wrote: Created attachment 533818 For your review, I'd propose this patch to fix this. Oops, RHBZ didn't like my patch format. Try this. Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/7 ------------------------------------------------------------------------ On 2012-08-07T19:53:09+00:00 Fedora wrote: This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Reply at: https://bugs.launchpad.net/ubuntu/+source/ca- certificates/+bug/1031333/comments/18 ** Changed in: ca-certificates (Fedora) Status: Unknown => Won't Fix ** Changed in: ca-certificates (Fedora) Importance: Unknown => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1031333 Title: Missing Verisign certs due to broken extract script Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates package in Debian: Fix Released Status in ca-certificates package in Fedora: Won't Fix Bug description: Verisign shipped G1 PCA Roots with md2 signatures on them. At some point, they resigned those roots using SHA1, but requested that the original certs keep shipping in Mozilla's cert list as they had issued intermediates with AKIs that point to the MD2 versions. See discussion here: https://groups.google.com/forum/?fromgroups#!msg/mozilla.dev.security.policy/I6bUbW3WkBU/lRxqGv6vYHYJ Now, ca-certificates uses a script called "certdata2pem.py" to extract the certificates from the certdata.txt file provided by Mozilla into individual files. Unfortunately, the script names the certificate file using the CKA_LABEL. In two instances, the verisign md2 and sha1 certs have the same CKA_LABEL, so the script is overwriting the first one (md2) with the second one (sha1). This results in the Verisign md2 certs being missing from the system ca certs. This usually isn't a problem except in the case where a website is handing out a complete cert chain, including the md2 root cert. When that happens, webkit is unable to verify the md2 root cert, and the connection fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1031333/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
