ADT results at https://bileto.ubuntu.com/excuses/4594/xenial.html
** Description changed: [Impact] * openssl fails to talk to letsencrypt website past September 2021, despite trusting the letsencrypt root certificate. [Test Plan] * Import staging cert equivalent to ISRG Root X1 https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem * Import expired staging cert equivalen tto DST Root CA X3 https://letsencrypt.org/certs/staging/letsencrypt-stg-root-dst.pem * Test connectivity to the expired-root-ca test website https://expired-root-ca-test.germancoding.com setup: apt install openssl ca-certificates wget wget https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem wget https://letsencrypt.org/certs/staging/letsencrypt-stg-root-dst.pem cat letsencrypt-stg-root-x1.pem letsencrypt-stg-root-dst.pem >> ca.pem test case: openssl s_client -connect expired-root-ca-test.germancoding.com:443 -servername expired-root-ca-test.germancoding.com -verify 1 -verifyCAfile ca.pem bad result: connection failed verify depth is 1 CONNECTED(00000003) depth=3 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3 verify error:num=10:certificate has expired notAfter=Jan 30 14:01:15 2021 GMT 140672978626200:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264: good result: connection successful verify depth is 1 CONNECTED(00000003) depth=2 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1 verify return:1 depth=1 C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3 verify return:1 depth=0 CN = expired-root-ca-test.germancoding.com verify return:1 --- Certificate chain 0 s:/CN=expired-root-ca-test.germancoding.com i:/C=US/O=(STAGING) Let's Encrypt/CN=(STAGING) Artificial Apricot R3 1 s:/C=US/O=(STAGING) Let's Encrypt/CN=(STAGING) Artificial Apricot R3 i:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1 2 s:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1 i:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Doctored Durian Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- Connection should be successful and trusted with correctly working openssl s_client that can manage to ignore expired CA, and build a valid trust path using non-expired CA in the chain. [Where problems could occur] * Changes as to how the trust paths are built in TLS connection may result in introducing bugs (failure to connect to valid sites) and/or security vulnerabilities (connecting to invalid sites successfully). [Other Info] * Background info * The current chain from letsencrypt is expiring, they are adding a new chain, but also keeping the expiring one. This will result in connectivity issues when using old gnutls/openssl against websites using the default letsencrypt configuration after September 2021. https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 https://community.letsencrypt.org/t/questions-re-openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143817 Currently openssl in xenial and earlier will not establish a connection, if any parts of the trust chain have expired, even though alternative non-expired chains are available. This has been fixed in OpenSSL 1.1.0+ by setting X509_V_FLAG_TRUSTED_FIRST by default see https://github.com/openssl/openssl/commit/0daccd4dc1f1ac62181738a91714f35472e50f3c + Note only the new default flag is backported on its own. The other + changes to more strongly verify additional auxiliary trust OIDs and key + usage are not backported. + gnutls bug for this is https://bugs.launchpad.net/ubuntu/bionic/+source/gnutls28/+bug/1928648 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1928989 Title: expiring trust anchor compatibility issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
