Re: Sectigo root CA expiry issue

[Tim Rühsen]

See also: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352370753

Regards, Tim

On 31.05.20 00:18, darnir@gnu.org wrote:
> For anyone interested, this topic is currently trending on Hacker News:
> 
> https://news.ycombinator.com/item?id=23362759
> 
> On May 30, 2020 9:02:36 PM GMT+02:00, Petr Pisar <petr.pisar@atlas.cz> wrote:
>> On Sat, May 30, 2020 at 07:57:22PM +0200, Tenboro wrote:
>>> Today I started getting some errors with a maintenance script that
>> makes
>>> use of wget, where it claims that a certificate has expired.
>>>
>>> DEBUG output created by Wget 1.19.5 on linux-gnu.
>>>
>>> Reading HSTS entries from /root/.wget-hsts
>>> URI encoding = ‘UTF-8’
>>> --2020-05-30 17:29:58--  https://ehwiki.org/
>>> Certificates loaded: 154
>>> Resolving ehwiki.org (ehwiki.org)... 94.100.29.76
>>> Caching ehwiki.org => 94.100.29.76
>>> Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected.
>>> Created socket 4.
>>> Releasing 0x00005633a3c84880 (new refcount 1).
>>> ERROR: The certificate of ‘ehwiki.org’ is not trusted.
>>> ERROR: The certificate of ‘ehwiki.org’ has expired.
>>>
>>> However, the certificate does not expire until March 2021.
>>
>> Yes. That's a badly worder error message by wget. The issue is not with
>> ehwiki.org certificate. The issue is with its authority's certificate.
>>
>>> Doing the same
>>> with curl on the same box produces no errors, so it does not seem to
>> be an
>>> issue with the system CA certs. Based on some slouching around, it
>> seems to
>>> have something to do with wget not correctly handling the expiry of
>> the
>>> Sectigo AddTrust root certificate:
>>>
>>>
>> https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
>>>
>> [...]
>>> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations
>> with
>>> all updates applied.
>>>
>>> I'm not sure if this is a distro issue or an issue with wget itself?
>>
>> I experience it on Gentoo either. The problem is not in wget:
>>
>> $ wget --version
>> GNU Wget 1.20.3 built on linux-gnu.
>>
>> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls 
>> -ntlm +opie -psl +ssl/gnutls 
>>
>> but in GnuTLS library:
>>
>> $ gnutls-cli --port https ehwiki.org
>> Processed 158 CA certificate(s).
>> Resolving 'ehwiki.org:https'...
>> Connecting to '94.100.29.76:443'...
>> - Certificate type: X.509
>> - Got a certificate list of 3 certificates.
>> - Certificate[0] info:
>> - subject `CN=ehwiki.org,OU=Gandi Standard SSL,OU=Domain Control
>> Validated', issuer `CN=Gandi Standard SSL CA
>> 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial
>> 0x63a5ea656ff9efdfe68ec85d3025466c, RSA key 2048 bits, signed using
>> RSA-SHA256, activated `2019-01-31 00:00:00 UTC', expires `2021-03-12
>> 23:59:59 UTC',
>> pin-sha256="wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78="
>>        Public Key ID:
>>                sha1:63ddc827cb0c5efda0634864ececc9855001c8bc
>> sha256:c0f6ea14b959a906ee17eb619c26abb1fd24f026ef33cc1b6e385c4f8e65c7bf
>>        Public Key PIN:
>>                pin-sha256:wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78=
>>
>> - Certificate[1] info:
>> - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR',
>> issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST
>> Network,L=Jersey City,ST=New Jersey,C=US', serial
>> 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using
>> RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11
>> 23:59:59 UTC',
>> pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4="
>> - Certificate[2] info:
>> - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST
>> Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External
>> CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial
>> 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using
>> RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30
>> 10:48:38 UTC',
>> pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4="
>> - Status: The certificate is NOT trusted. The certificate chain uses
>> expired certificate. 
>> *** PKI verification of server certificate failed...
>> *** Fatal error: Error in the certificate.
>>
>> It seems that GnuTLS stops on a failure in the first certificate chain,
>> while
>> other libraries like OpenSSL explore other chains before giving up.
>>
>> It would help if ehwiki.org server did not send to expired certificate
>> in the
>> certificate chain of the TLS handshake and send the alternative one
>> that has
>> not yet expired as advertised on the Sectigo web page you linked.
>>
>> -- Petr
>

signature.asc
Description: OpenPGP digital signature