Ubuntu
ca-certificates package

Please sync ca-certificates 20080809 (main) from Debian unstable (main).

Bug #290485 reported by Daniel Hahler
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 affects ubuntu/ca-certificates
 status confirmed
 importance wishlist
 subscribe ubuntu-archive

Please sync ca-certificates 20080809 (main) from Debian unstable (main).

Explanation of the Ubuntu delta and why it can be dropped:
The change in Ubuntu has been accepted into Debian.

Also, this update fixes LP: #246205, where boinc fails to authenticate
against Worldcommunitygrid (or rather generally fails to use SSL, but
most projects allow to fallback to non-SSL).
I cannot say why 20080809 fixes it, but I confirm the comment from
EagleScreen
(https://bugs.launchpad.net/ubuntu/+source/boinc/+bug/246205/comments/17).

Changelog since current intrepid version 20080514-0ubuntu1:

ca-certificates (20080809) unstable; urgency=low

  * New cacert.org.pem joining both CACert Class 1 and Class 3 certificates.
    This file can be used for proper certificate chaining if CACert
    server certificates are used. The old class3.pem and root.pem
    certificates are deprecated. This new file could safely serve as
    a replacement for both. (Closes: #494343)
  * This also reintroduces the old name for the CACert certificate,
    thus closing a long-standing bug about its rename to root.crt.
    (Closes: #413766)

 -- Philipp Kern <email address hidden> Sat, 09 Aug 2008 14:58:24 -0300

ca-certificates (20080617) unstable; urgency=low

  * Added French Government's IGC/A CA (both DSA and RSA).
    (Closes: #416470)

 -- Philipp Kern <email address hidden> Mon, 23 Jun 2008 20:55:53 +0200

ca-certificates (20080616) unstable; urgency=low

  * Fix installation on pt_BR locales. The problem was caused by the
    .templates choices strings being marked for translation, with pt_BR
    being the only language which actually translated them. Thanks to
    Ubuntu for the fix, which needs to be around until Lenny is released
    or six months have passed, whichever is later. (Closes: #472507)
  * Drop Fumitoshi from the list of maintainers. Farewell!
  * Bump Standards-Version to 3.8.0.

 -- Philipp Kern <email address hidden> Mon, 16 Jun 2008 17:41:50 +0200

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iD8DBQFJB43GfAK/hT/mPgARAtTMAJ9Q+nDDZyhg1ceI4NhUTb4aW2fJNgCfW/sm
wsK0+8MZ51gjyG7GgsA5CQc=
=Whzb
-----END PGP SIGNATURE-----

Revision history for this message
Daniel Hahler (blueyed) wrote :

Subscribing ubuntu-release, who need to confirm it.

Changed in ca-certificates:
status: Confirmed → New
Revision history for this message
Steve Langasek (vorlon) wrote :

No chance. Wait for jaunty.

Revision history for this message
Steve Langasek (vorlon) wrote :

this also needs to be acked by core-dev...

Revision history for this message
Martin Pitt (pitti) wrote :

Ack'ed, thanks!

Changed in ca-certificates:
status: New → Confirmed
Revision history for this message
Sebastien Bacher (seb128) wrote :

[Updating] ca-certificates (20080514-0ubuntu1 [Ubuntu] < 20080809 [Debian])
 * Trying to add ca-certificates...
  - <ca-certificates_20080809.tar.gz: downloading from http://ftp.debian.org/debian/>
  - <ca-certificates_20080809.dsc: downloading from http://ftp.debian.org/debian/>
I: ca-certificates [main] -> ca-certificates_20080514-0ubuntu1 [main].

Changed in ca-certificates:
status: Confirmed → Fix Released
Revision history for this message
Dan McGrath (troubled) wrote :

I think this bug is affecting me at least in 12.04:

# openssl x509 -text -in /usr/share/ca-certificates/cacert.org/cacert.org.crt | grep Signature
    Signature Algorithm: md5WithRSAEncryption
    Signature Algorithm: md5WithRSAEncryption

The problem is that cacert.org breaks svn over https for some projects that use cacert since an update to neon for gnutls disables certs with md5 for security, at least if I understand the problem correctly.

Our work around was to tell everyone to add an option to not trust the ~/.subversion/servers file ("ssl-trust-default-ca = no"), but it would be nice if this just worked "out of the box" for people with the latest security updates in ubuntu.

Is there any reason why this hasn't been fixed yet? Or is fix for cacert in this bug something else? (if so, apologies, I will report a separate bug).

Thanks o/

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

My understanding is that by default we do not include/enable cacert.org certificates.
See https://wiki.ubuntu.com/CAcert
If this has changed, I better go and disable it manually on all of my machines....

Revision history for this message
Dan McGrath (troubled) wrote :

hehe, I was thinking the same thing about the Chinese Post office (!mozilla/Hongkong_Post_Root_CA_1.crt) :) I looked at the wiki URL you pasted though, but it seems a little old and dated. We appear to be long past the point where they were deciding to include it or not, it would appear.

Anyways, a quick check in my /etc/ca-certificates.conf show it is enabled:
cacert.org/cacert.org.crt

The cert seems to be activated and installed just fine. The problem is that this cert is useless ever since the gnutls patch mentioned above that refuses all certs that used md5 instead of sha1, which this is affected by.

A quick check of their wiki shows their Class 1 cert signed MD5 still though:
  https://wiki.cacert.org/Roots/StateOverview

hmm, perhaps I should email them as inquire what might be causing them to only use md5+sha1 root cert instead of just sha1. There might be some technical or political problem preventing them from solving this properly.

Anyways, thanks for quick reply. o/

Revision history for this message
Dan McGrath (troubled) wrote :

Ah, it would appear that they have already published a FAQ on this matter (/me slaps myself for not checking the urls on that page BEFORE replying!):

  https://wiki.cacert.org/FAQ/Class3Resign

Apologies for email noise.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Considering CA.cert generated the new cert in 2011, I don't see how "syncing" 2008 package would help here. If debian/ubuntu ca-certificates is out of date and missing the new cert please open bugs about that in Debian BTS and Launchpad (linking in the BTS bug as well)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.