[Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Yves-Alexis Perez
corsac at debian.org
Sun Sep 4 15:35:16 UTC 2011
On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > Looking at the patches, this really is:
> [...]
>
> Ok, with the patches we got NSS covered, but we still need to do something for
> other users.
>
> A first look at stuff we ship, this seems to be their current status:
> * NSS:
> ice* packages should be okay after the latest NSS update.
For other NSS users I guess they're ok? I've just checked in evolution
certificate store and there's no DigiNotar one, though I don't know if
evolution would prevent connection to an imap/pop/smtp server with a
relevant certificate.
evolution uses gnutls for calendars (since it's http/https) and so is
protected through ca-certificates afaict?
>
> * OpenSSL
> Nothing special here
>
> * GnuTLS
> Nothing special here
>
> * chromium:
> Even after the NSS update, it seems to be happy to use the Explicitly
> Distrusted certs.
I've tried the tree websites given on this bug report but I don't know
if they still make sense:
https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!) but
as the redirect isn't prevented I guess chromium is ok with the
certificate.
https://sha2.diginotar.nl/ succeeds, chain of certification is:
CN = sha2.diginotar.nl
CN = DigiNotar PKIoverheid CA Organisatie - G2
CN = Staat der Nederlanden Organisatie CA - G2
CN = Staat der Nederlanden Root CA - G2 (chromium builtin).
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110904/b691becb/attachment.pgp>
More information about the Pkg-openssl-devel
mailing list