Bug#514807: Regression in libgnutls security update

Florian Weimer fw at deneb.enyo.de
Wed Feb 11 23:01:13 UTC 2009 

* Edward Allcutt:

> I believe this is a significant regression in stable because at least
> one widely used CA (godaddy) still issues certificates with a chain
> ending in a v1 root (ValiCert Class 2).

Are we talking about this certificate?

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@valicert.com
        Validity
            Not Before: Jun 26 00:19:54 1999 GMT
            Not After : Jun 26 00:19:54 2019 GMT
        Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@valicert.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ce:3a:71:ca:e5:ab:c8:59:92:55:d7:ab:d8:74:
                    0e:f9:ee:d9:f6:55:47:59:65:47:0e:05:55:dc:eb:
                    98:36:3c:5c:53:5d:d3:30:cf:38:ec:bd:41:89:ed:
                    25:42:09:24:6b:0a:5e:b3:7c:dd:52:2d:4c:e6:d4:
                    d6:7d:5a:59:a9:65:d4:49:13:2d:24:4d:1c:50:6f:
                    b5:c1:85:54:3b:fe:71:e4:d3:5c:42:f9:80:e0:91:
                    1a:0a:5b:39:36:67:f3:3f:55:7c:1b:3f:b4:5f:64:
                    73:34:e3:b4:12:bf:87:64:f8:da:12:ff:37:27:c1:
                    b3:43:bb:ef:7b:6e:2e:69:f7
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        3b:7f:50:6f:6f:50:94:99:49:62:38:38:1f:4b:f8:a5:c8:3e:
        a7:82:81:f6:2b:c7:e8:c5:ce:e8:3a:10:82:cb:18:00:8e:4d:
        bd:a8:58:7f:a1:79:00:b5:bb:e9:8d:af:41:d9:0f:34:ee:21:
        81:19:a0:32:49:28:f4:c4:8e:56:d5:52:33:fd:50:d5:7e:99:
        6c:03:e4:c9:4c:fc:cb:6c:ab:66:b3:4a:21:8c:e5:b5:0c:32:
        3e:10:b2:cc:6c:a1:dc:9a:98:4c:02:5b:f3:ce:b9:9e:a5:72:
        0e:4a:b7:3f:3c:e6:16:68:f8:be:ed:74:4c:bc:5b:d5:62:1f:
        43:dd

It's not just a X.509v1 certificate.  It's ten years old, it's just
1024 bits, and ValiCert does not exist anymore as an organization
(thus the DN is invalid).

So while I understand that there is a problem (and we knew that there
was a trade-off to be made when releasing the update), I think this
particular root certificate is a bad example if you want to make a
point.

Simon, could we make the harmless variant (X.509v1 certificate set as
trusted is accepted as a root CA, but intermediate X.509v1
certificates aren't accepted) the default in etch?

> Godaddy appears to have a newer v3 root but I don't know how widely
> deployed this is. It is not in the etch ca-certificates package for
> example.

Which root are you referring to?

More information about the Pkg-gnutls-maint mailing list