ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Adam Williamson adamwill at fedoraproject.org
Tue Sep 9 06:26:12 UTC 2014 

On Mon, 2014-09-08 at 09:00 -0500, Michael Catanzaro wrote:
> On Mon, 2014-09-08 at 10:06 +0200, Nikos Mavrogiannopoulos wrote:
> > Unfortunately only NSS works. Both openssl and gnutls fail to connect to
> > popular sites because of that change. It should not be assumed that the
> > users of ca-certificates are only programs using nss.
> 
> [1] is an interesting read. I get the impression that certificates are
> being removed as long as there is a compatible replacement that NSS can
> validate, based on NSS's custom strategies for certificate validation.
> Is this claim accurate?

"Custom strategies" is an interesting concept. AFAICS, the TLS standard:

http://tools.ietf.org/html/rfc5246

does not exactly define 'standard' certificate verification strategies,
so in a sense, they're *all* "custom". In other words, we're in good old
Standard Ambiguity Land here. What that doc has to say about chains,
AFAICS, is:

7.4.2.  Server Certificate
...
certificate_list
      This is a sequence (chain) of certificates.  The sender's
      certificate MUST come first in the list.  Each following
      certificate MUST directly certify the one preceding it.  Because
      certificate validation requires that root keys be distributed
      independently, the self-signed certificate that specifies the root
      certificate authority MAY be omitted from the chain, under the
      assumption that the remote end must already possess it in order to
      validate it in any case.

Note: this doesn't say anything about how the client should *validate*
the server's certificate list. It defines properties of the list, but
not its interpretation by the client.

7.4.5.  Server Hello Done
...
      Upon receipt of the ServerHelloDone message, the client SHOULD
      verify that the server provided a valid certificate, if required,
      and check that the server hello parameters are acceptable.

Again, this doesn't specify precisely how the client should interpret
the requirement for "a valid certificate".

F.1.1.  Authentication and Key Exchange
...
If the server is authenticated,
   its certificate message must provide a valid certificate chain
   leading to an acceptable certificate authority.  Similarly,
   authenticated clients must supply an acceptable certificate to the
   server.  Each party is responsible for verifying that the other's
   certificate is valid and has not expired or been revoked.

Note: this doesn't define exactly *how* the client should verify that
the server provides "a valid certificate chain leading to an acceptable
certificate authority". It doesn't seem to me that the NSS
implementation falls outside of this requirement, for instance.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net

More information about the devel mailing list