[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On Wed, Sep 07, 2011 at 10:06:55PM -0500, Raphael Geissert wrote:
> On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote:
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > So you're basicly saying that X509_verify_cert() should give an
> > > error in case it finds DigiNotar somewhere in the chain?
> > > 
> > > I'm not opposed to such a change, but would like to see a better
> > > option in the future.
> > 
> > Yes. I will try to spend some time with a debugger later today to find the
> > right place to implement such check. Or do you have any hint? (the cn
> > validation functions didn't seem to be executed in one case I tried)
> Attached is the first version of patch against the 1.0.0 series that does that. 
> I implemented it in check_name_constraints, but given that 0.9.8 doesn't have 
> support for name constraints I might as well move it to a separate function.
> I've tested it on the rogue *.google.com cert  with verify(1) and a few others 
> with different clients (tried the urls mentioned on the bug report, of which 
> only ingcommercialbanking still uses a DigiNotar cert.)
> Attached are a bundle of the certs needed to verify(1) the rogue google cert, 
> and the rogue cert itself. Perhaps they could be included in the test suite.
> The patch for 0.9.8 is also attached, but I haven't tested it yet. It was made 
> based on squeeze's openssl and it seems to apply fine to lenny's openssl (just 
> a few lines of difference.)

I wonder why you don't use the same patch for both.  I think the
check_name_constraints() actually tries to test something else,
like that it's a well-formed name or something.  So the new function
makes more sense to me.

Looking at the patch, it seems to make sense to me.

> Kurt, what do you think? would upstream be interested in the patch, or at 
> least in reviewing it?

I can always try and ask them.


Reply to: