Bug#514807: a proposal for consideration for V1 CA certs in Etch (and Lenny?)
Andreas Metzler
ametzler at downhill.at.eu.org
Sat Feb 21 09:16:23 UTC 2009
On 2009-02-19 Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> I've done a bit of research on this bug (dealing with V1 CA certificates
> for gnutls in etch and/or lenny), and i do think that it is potentially
> quite serious.
> For example, the certificate used by https://mail.google.com/ appears to
> be rooted in a v1 CA certificate:
[...]
Shouldn't gnutls-cli mark the certificate as unverified in that case?
----------------------
ametzler at argenau:/etc/ssl/certs$ gnutls-cli --x509cafile /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem -p https mail.google.com
Processed 1 CA certificate(s).
Resolving 'mail.google.com'...
Connecting to '66.249.91.83:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'mail.google.com'.
# valid since: Fri May 2 18:32:54 CEST 2008
# expires at: Sat May 2 18:32:54 CEST 2009
# fingerprint: C3:36:8D:8C:7F:27:45:78:E5:A5:08:40:D3:EF:16:67
# Subject's DN: C=US,ST=California,L=Mountain View,O=Google Inc,CN=mail.google.com
# Issuer's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA
- Certificate[1] info:
# valid since: Thu May 13 02:00:00 CEST 2004
# expires at: Tue May 13 01:59:59 CEST 2014
# fingerprint: 84:84:03:56:10:85:53:ED:9A:CA:60:B5:FA:99:D3:31
# Subject's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA
# Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
----------------------
ametzler at argenau:/etc/ssl/certs$ certtool -i < /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem
X.509 Certificate Information:
Version: 1
Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Tue Aug 01 23:59:59 UTC 2028
[...]
Signature Algorithm: RSA-MD2
warning: signed using a broken signature algorithm that can be forged.
[...]
----------------------
cu and- mystified -reas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list