On dim., 2011-09-04 at 13:34 -0500, Raphael Geissert wrote: > [Dropping CC on openssl maintainers, to reduce noise] > > On Sunday 04 September 2011 10:35:16 Yves-Alexis Perez wrote: > > On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote: > > > On Saturday 03 September 2011 01:45:22 Mike Hommey wrote: > > > > Looking at the patches, this really is: > > > [...] > > > > > > Ok, with the patches we got NSS covered, but we still need to do > > > something for other users. > > > > > > A first look at stuff we ship, this seems to be their current status: > > > * NSS: > > > ice* packages should be okay after the latest NSS update. > > > > For other NSS users I guess they're ok? I've just checked in evolution > > certificate store and there's no DigiNotar one, though I don't know if > > evolution would prevent connection to an imap/pop/smtp server with a > > relevant certificate. > > Did you look for "Explicitly Disabled DigiNotar..."? What do you mean? > > > evolution uses gnutls for calendars (since it's http/https) and so is > > protected through ca-certificates afaict? > > Not really, since DigiNotar's CA is cross-signed by Entrust and it probably > won't know that that signature has been revoked, since GnuTLS doesn't support > OCSP. > > That's the same sad story for everything else using GnuTLS and for many > OpenSSL users. OpenSSL does support OCSP, but applications rarely use it. Damn. > > > I've tried the tree websites given on this bug report but I don't know > > if they still make sense: > > > > https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!) but > > as the redirect isn't prevented I guess chromium is ok with the > > certificate. > > > > https://sha2.diginotar.nl/ succeeds, chain of certification is: > > > > CN = sha2.diginotar.nl > > CN = DigiNotar PKIoverheid CA Organisatie - G2 > > CN = Staat der Nederlanden Organisatie CA - G2 > > CN = Staat der Nederlanden Root CA - G2 (chromium builtin). > > From mozilla's bugzilla, these should also fail: > https://www.nifpnet.nl/ > https://belastingbalie.eindhoven.nl/ > https://acceptation.cbpublications.ingcommercialbanking.com/ > > (disable online recovation check before testing, at least the last one) None of them fail (the last one fails with revocation checking) Cheers, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part