[Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Raphael Geissert
geissert at debian.org
Thu Sep 8 03:06:55 UTC 2011
On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote:
> On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > So you're basicly saying that X509_verify_cert() should give an
> > error in case it finds DigiNotar somewhere in the chain?
> >
> > I'm not opposed to such a change, but would like to see a better
> > option in the future.
>
> Yes. I will try to spend some time with a debugger later today to find the
> right place to implement such check. Or do you have any hint? (the cn
> validation functions didn't seem to be executed in one case I tried)
Attached is the first version of patch against the 1.0.0 series that does that.
I implemented it in check_name_constraints, but given that 0.9.8 doesn't have
support for name constraints I might as well move it to a separate function.
I've tested it on the rogue *.google.com cert with verify(1) and a few others
with different clients (tried the urls mentioned on the bug report, of which
only ingcommercialbanking still uses a DigiNotar cert.)
Attached are a bundle of the certs needed to verify(1) the rogue google cert,
and the rogue cert itself. Perhaps they could be included in the test suite.
The patch for 0.9.8 is also attached, but I haven't tested it yet. It was made
based on squeeze's openssl and it seems to apply fine to lenny's openssl (just
a few lines of difference.)
Kurt, what do you think? would upstream be interested in the patch, or at
least in reviewing it?
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: block_diginotar.098.v1.patch
Type: text/x-patch
Size: 2162 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110907/de7918bc/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: block_diginotar.100.v1.patch
Type: text/x-patch
Size: 937 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110907/de7918bc/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diginotar-bundle.pem
Type: application/x-x509-ca-cert
Size: 4127 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110907/de7918bc/attachment-0002.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rogue google.crt
Type: application/x-x509-ca-cert
Size: 1850 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110907/de7918bc/attachment-0003.crt>
More information about the Pkg-openssl-devel
mailing list