Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
[Dropping CC on openssl maintainers, to reduce noise]
On Sunday 04 September 2011 10:35:16 Yves-Alexis Perez wrote:
> On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
> > On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > > Looking at the patches, this really is:
> > [...]
> > Ok, with the patches we got NSS covered, but we still need to do
> > something for other users.
> > A first look at stuff we ship, this seems to be their current status:
> > * NSS:
> > ice* packages should be okay after the latest NSS update.
> For other NSS users I guess they're ok? I've just checked in evolution
> certificate store and there's no DigiNotar one, though I don't know if
> evolution would prevent connection to an imap/pop/smtp server with a
> relevant certificate.
Did you look for "Explicitly Disabled DigiNotar..."?
> evolution uses gnutls for calendars (since it's http/https) and so is
> protected through ca-certificates afaict?
Not really, since DigiNotar's CA is cross-signed by Entrust and it probably
won't know that that signature has been revoked, since GnuTLS doesn't support
That's the same sad story for everything else using GnuTLS and for many
OpenSSL users. OpenSSL does support OCSP, but applications rarely use it.
> I've tried the tree websites given on this bug report but I don't know
> if they still make sense:
> https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!) but
> as the redirect isn't prevented I guess chromium is ok with the
> https://sha2.diginotar.nl/ succeeds, chain of certification is:
> CN = sha2.diginotar.nl
> CN = DigiNotar PKIoverheid CA Organisatie - G2
> CN = Staat der Nederlanden Organisatie CA - G2
> CN = Staat der Nederlanden Root CA - G2 (chromium builtin).
From mozilla's bugzilla, these should also fail:
(disable online recovation check before testing, at least the last one)
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net