[Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

Raphael Geissert geissert at debian.org
Thu Sep 8 17:25:21 UTC 2011


On Wednesday 07 September 2011 22:06:55 Raphael Geissert wrote:
> On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote:
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > So you're basicly saying that X509_verify_cert() should give an
> > > error in case it finds DigiNotar somewhere in the chain?
> > > 
> > > I'm not opposed to such a change, but would like to see a better
> > > option in the future.
> > 
> > Yes. I will try to spend some time with a debugger later today to find
> > the right place to implement such check. Or do you have any hint? (the
> > cn validation functions didn't seem to be executed in one case I tried)
> 
> Attached is the first version of patch against the 1.0.0 series that does
> that. I implemented it in check_name_constraints, but given that 0.9.8
> doesn't have support for name constraints I might as well move it to a
> separate function. I've tested it on the rogue *.google.com cert  with
> verify(1) and a few others with different clients (tried the urls
> mentioned on the bug report, of which only ingcommercialbanking still uses
> a DigiNotar cert.)
> Attached are a bundle of the certs needed to verify(1) the rogue google
> cert, and the rogue cert itself. Perhaps they could be included in the
> test suite.

I somehow ended up adding an O instead of a 0 in the exported patch for 1.0.0. 
Attached are the fixed 1.0.0 patch (as v2, to avoid confusions) and the 
previous patch for 0.9.8.

> The patch for 0.9.8 is also attached, but I haven't tested it yet. It was
> made based on squeeze's openssl and it seems to apply fine to lenny's
> openssl (just a few lines of difference.)
> 
> Kurt, what do you think? would upstream be interested in the patch, or at
> least in reviewing it?

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: block_diginotar.098.v1.patch
Type: text/x-patch
Size: 2162 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110908/e57c91ac/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: block_diginotar.100.v2.patch
Type: text/x-patch
Size: 937 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110908/e57c91ac/attachment-0001.bin>


More information about the Pkg-openssl-devel mailing list