Skip Menu |

This queue is for tickets about the Mozilla-CA CPAN distribution.

Report information
The Basics
Id: 101908
Status: open
Priority: 0/
Queue: Mozilla-CA
People
Owner: Nobody in particular
Requestors: DAKKAR [...] cpan.org
ether [...] cpan.org
JIRA [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 20141217
Fixed in: (no value)

History Show all quoted text
  Tue Feb 03 10:33:26 2015 DAKKAR [...] cpan.org - Ticket created
Subject: A Verisign CA certificate was dropped, but is still in use in the wild
Hello. In release 20141217, the certificate "Verisign Class 3 Public Primary Certification Authority" disappeared. That certificate is still listed as essentially valid on https://www.symantec.com/page.jsp?id=roots (formerly https://www.verisign.com/support/roots.html ): Description: This root CA is the root used for Secure Site Pro Certificates, Premium SSL Certificates and Code Signing Certificates. It is intended to be the primary root used for these products until Q4 2010 when VeriSign transitions to using a 2048 bit root. After that transition this CA will be used as part of a cross certification to ensure legacy applications continue to trust VeriSign certificates and must continue to be included in root stores by vendors. This root is expected to be used in this way at least until 12/31/2013 and vendors should not plan on removing support for this root until officially advised that the root is no longer needed to support certificates or CRL validation. But looking at the http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt (Mozilla "release" source), that certificate is marked as "MUST_VERIFY_TRUST" instead of "TRUSTED_DELEGATOR", which of course makes the mk-ca-bundle.pl script skip it Problem is, many places still use certificates signed by that, and those certificates are not going to expire for quite some time (the server that prompted this investigation, onlinetools.ups.com, has a certificate that will expire at the end of 2016). I'm not sure what the solution should be, and I'm going to publish a new release of Net::UPS that suggests using a different certificate store, but other people may get bitten by the same problem, so I thought I'd give you a heads-up.
  Tue Feb 03 11:21:20 2015 ask [...] perl.org - Correspondence added
Subject: Re: [rt.cpan.org #101908] A Verisign CA certificate was dropped, but is still in use in the wild
Date: Tue, 3 Feb 2015 16:21:58 +0000
To: bug-Mozilla-CA [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
Can you bring it up with the Mozilla people? It seems more appropriate that they should fix it — or maybe we are misinterpreting the flags and should be including this cert?
  Tue Feb 03 11:21:20 2015 The RT System itself - Status changed from 'new' to 'open'
  Tue Feb 03 11:54:05 2015 dakkar [...] thenautilus.net - Correspondence added
Subject: Re: [rt.cpan.org #101908] A Verisign CA certificate was dropped, but is still in use in the wild
Date: Tue, 3 Feb 2015 16:53:51 +0000
To: "ask [...] perl.org via RT" <bug-Mozilla-CA [...] rt.cpan.org>
From: Gianni Ceccarelli <dakkar [...] thenautilus.net>
On 2015-02-03 "ask@perl.org via RT" <bug-Mozilla-CA@rt.cpan.org> wrote: Show quoted text
> Can you bring it up with the Mozilla people? It seems more > appropriate that they should fix it — or maybe we are misinterpreting > the flags and should be including this cert?
That's the part where I say "I don't know what the correct solution is" :( If I understand correctly what Firefox tells me when I ask it details on the certificate of the onlinetoos.ups.com server (and I may be very wrong here), Firefox cuts the validation short one level, so it does not need the root certificate, because it trusts one of the intermediate ones. But I know very little of SSL/PKI, it's all a bit over my head.
Download (untitled)
application/pgp-signature 181b

Message body not shown because it is not plain text.

  Fri Feb 13 10:34:51 2015 olaf [...] wundersolutions.com - Correspondence added
On Tue Feb 03 11:54:05 2015, dakkar@thenautilus.net wrote: Show quoted text
> On 2015-02-03 "ask@perl.org via RT" <bug-Mozilla-CA@rt.cpan.org> wrote:
> > Can you bring it up with the Mozilla people? It seems more > > appropriate that they should fix it — or maybe we are misinterpreting > > the flags and should be including this cert?
> > That's the part where I say "I don't know what the correct solution > is" :( > > If I understand correctly what Firefox tells me when I ask it details > on the certificate of the onlinetoos.ups.com server (and I may be very > wrong here), Firefox cuts the validation short one level, so it does > not need the root certificate, because it trusts one of the > intermediate ones. > > But I know very little of SSL/PKI, it's all a bit over my head.
I have a small test which demonstrates the problem here https://github.com/gisle/mozilla-ca/pull/5 Thought it would be helpful to link the Github issue and this discussion.
  Tue Feb 17 18:55:47 2015 ether [...] cpan.org - Requestor ETHER added
  Mon Mar 30 05:44:21 2015 DAKKAR [...] cpan.org - Correspondence added
Another effect of dropping that certificate: http://blogs.perl.org/users/byterock/2015/03/ca-ssl-https-heck.html Part of AWS has certificates signed with Verisign's "G3" certificate.
  Wed Apr 08 04:41:53 2015 JIRA [...] cpan.org - Requestor JIRA added
  Tue Apr 14 04:53:02 2015 sue_cpan [...] pennine.com - Correspondence added
RT-Send-CC: dakkar [...] thenautilus.net, ask [...] perl.org
We are seeing this issue in our codebase and it is a serious problem. The initial temporary workaround is to backrev the module to the 20130114 version so that our test suite will pass. I suspect we will have to include the missing certificate ourselves as a more permanent fix which is less than ideal.
  Tue Apr 14 11:44:59 2015 ask [...] perl.org - Correspondence added
Subject: Re: [rt.cpan.org #101908] A Verisign CA certificate was dropped, but is still in use in the wild
Date: Tue, 14 Apr 2015 08:44:48 -0700
To: bug-Mozilla-CA [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
Show quoted text
> On Apr 14, 2015, at 1:53, Sue Spence via RT <bug-Mozilla-CA@rt.cpan.org> wrote: > > We are seeing this issue in our codebase and it is a serious problem.
Hi Sue, Your SSL library isn’t processing the trust chain appropriately. See https://github.com/gisle/mozilla-ca/pull/5#issuecomment-90425221 Ask
  Thu May 14 15:21:10 2015 BBYRD [...] cpan.org - Correspondence added
I've run into this issue a few times with different hosts and a few different CAs. The issue of CA trust chains breaking has been increasing over the past year or two. Unfortunately, there is no central root-server-like repository to define a global trust bundle, so we've decided to default one that comes from a popular browser. However, with the failures I've experienced, the Mozilla CA bundle is no longer reliable, from my POV, at least not by itself. I've tried Chrome's set (even considered a Chrome::CA module), but that has gaps, too. I'm going to try a set from CloudFlare to see if that provides the coverage we need: https://github.com/cloudflare/cfssl_trust But, this is just guesswork and poking around to see what fits. Why should CloudFlare be the central authority on this? They were just somebody who decided to combine a bunch of these sets together and release it on Github. Anyway, anybody having these issues should try that bundle out and see if that fits.
  Mon Aug 29 11:00:41 2016 dolmen [...] cpan.org - Correspondence added
Le 2015-02-03 16:33:26, DAKKAR a écrit :
Show quoted text
> Hello.
>
> In release 20141217, the certificate "Verisign Class 3 Public Primary
> Certification Authority" disappeared. That certificate is still listed
> as essentially valid on https://www.symantec.com/page.jsp?id=roots
> (formerly https://www.verisign.com/support/roots.html ):

Please update if this issue is still relevant with release 20160104.


-- 
Olivier Mengué - http://perlresume.org/DOLMEN