[Bug 213226] security/ca_root_nss: 3.27 is missing cert for googlecode.com
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Oct 5 10:59:13 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213226
Bug ID: 213226
Summary: security/ca_root_nss: 3.27 is missing cert for
googlecode.com
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: ports-secteam at FreeBSD.org
Reporter: dch at skunkwerks.at
Assignee: ports-secteam at FreeBSD.org
Flags: maintainer-feedback?(ports-secteam at FreeBSD.org)
after update from 3.26 -> 3.27, google sites such as googlecode.com no longer
work over https. examples follow.
curl -vs https://go.googlesource.com/tools/ > /dev/null
...
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
...
* SSL certificate problem: unable to get local issuer certificate
## versions
```
dch at wintermute /u/l/s/certs> uname -a
FreeBSD wintermute.skunkwerks.at 11.0-RELEASE FreeBSD 11.0-RELEASE #0 r306211:
Thu Sep 22 21:43:30 UTC 2016
root at releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
dch at wintermute /u/l/s/certs> pkg info ca_root_nss libressl curl
ca_root_nss-3.27
libressl-2.4.3
curl-7.50.3
$ pkg info curl
curl-7.50.3
Name : curl
Version : 7.50.3
Installed on : Wed Oct 5 10:53:54 2016 UTC
Origin : ftp/curl
Architecture : freebsd:11:x86:64
Prefix : /usr/local
Categories : ipv6 ftp www
Licenses : MIT
Maintainer : sunpoet at FreeBSD.org
WWW : http://curl.haxx.se/
Comment : Non-interactive tool to get files from FTP, GOPHER, HTTP(S)
servers
Options :
CARES : off
CA_BUNDLE : on
COOKIES : on
CURL_DEBUG : off
DEBUG : off
DOCS : on
EXAMPLES : on
GNUTLS : off
GSSAPI_BASE : off
GSSAPI_HEIMDAL : off
GSSAPI_MIT : on
GSSAPI_NONE : off
HTTP2 : on
IDN : off
IPV6 : on
LDAP : off
LDAPS : off
LIBSSH2 : off
METALINK : off
NSS : off
OPENSSL : on
POLARSSL : off
PROXY : on
PSL : off
RTMP : off
THREADED_RESOLVER: on
TLS_SRP : off
WOLFSSL : off
Shared Libs required:
libcom_err.so.3.0
libssl.so.39
libk5crypto.so.3.1
libnghttp2.so.14
libgssapi_krb5.so.2.2
libkrb5.so.3.3
libcrypto.so.38
Shared Libs provided:
libcurl.so.4
Annotations :
cpe : cpe:2.3:a:haxx:curl:7.50.3:::::freebsd11:x64
repo_type : binary
repository : pkg.domarino.com
Flat size : 5.09MiB
Description :
curl is a client to get documents/files from servers, using any of the
supported protocols. The command is designed to work without user
interaction or any kind of interactivity.
curl offers a busload of useful tricks like proxy support, user
authentication, ftp upload, HTTP post, SSL (https:) connections, file
transfer resume and more.
WWW: http://curl.haxx.se/
$ pkg info libressl
libressl-2.4.3
Name : libressl
Version : 2.4.3
Installed on : Wed Oct 5 10:53:26 2016 UTC
Origin : security/libressl
Architecture : freebsd:11:x86:64
Prefix : /usr/local
Categories : security devel
Licenses : BSD4CLAUSE
Maintainer : brnrd at FreeBSD.org
WWW : http://www.libressl.org/
Comment : Free version of the SSL/TLS protocol forked from OpenSSL
Options :
MAN3 : on
NC : on
Shared Libs provided:
libssl.so.39
libtls.so.11
libcrypto.so.38
Annotations :
cpe : cpe:2.3:a:openbsd:libressl:2.4.3:::::freebsd11:x64
repo_type : binary
repository : pkg.domarino.com
Flat size : 8.72MiB
Description :
LibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols. It was forked from the OpenSSL
cryptographic software library in April 2014 as a response by OpenBSD
developers to the Heartbleed security vulnerability in OpenSSL,
with the aim of refactoring the OpenSSL code so as to provide a more secure
implementation.
LibreSSL was forked from the OpenSSL library starting with the 1.0.1g branch
and will follow the security guidelines used elsewhere in the OpenBSD project.
WWW: http://www.libressl.org/
$ pkg info ca_root_nss
ca_root_nss-3.27
Name : ca_root_nss
Version : 3.27
Installed on : Wed Oct 5 10:53:40 2016 UTC
Origin : security/ca_root_nss
Architecture : freebsd:11:*
Prefix : /usr/local
Categories : security
Licenses : MPL
Maintainer : ports-secteam at FreeBSD.org
WWW : UNKNOWN
Comment : Root certificate bundle from the Mozilla Project
Options :
ETCSYMLINK : on
Annotations :
repo_type : binary
repository : pkg.domarino.com
Flat size : 896KiB
Description :
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.
This port directly tracks the version of NSS in the security/nss port.
$
```
NB libressl version is unrelated; using libressl-2.4.2 with newer certs also
fails.
## expected result (using ca_root_nss-3.26)
```
dch at wintermute /tmp> sudo pkg install -f /var/cache/pkg/ca_root_nss-3.26.txz
Updating skunkwerks repository catalogue...
skunkwerks repository is up-to-date.
All repositories are up-to-date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
ca_root_nss: 3.26
Number of packages to be installed: 1
Proceed with this action? [y/N]: y
[1/1] Installing ca_root_nss-3.26...
[1/1] Extracting ca_root_nss-3.26: 100%
Message from ca_root_nss-3.26:
********************************* WARNING *********************************
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
*********************************** NOTE **********************************
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
* /etc/ssl/cert.pem
* /usr/local/etc/ssl/cert.pem
* /usr/local/openssl/cert.pem
***************************************************************************
dch at wintermute /tmp> curl -vs https://go.googlesource.com/tools/ > /dev/null
* Trying 2a00:1450:400c:c09::52...
* TCP_NODELAY set
* Connected to go.googlesource.com (2a00:1450:400c:c09::52) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3260 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc;
CN=*.googlecode.com
* start date: Sep 29 16:53:40 2016 GMT
* expire date: Dec 22 16:37:00 2016 GMT
* subjectAltName: host "go.googlesource.com" matched cert's
"*.googlesource.com"
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade:
len=0
* Using Stream ID: 1 (easy handle 0x801e7b500)
> GET /tools/ HTTP/1.1
> Host: go.googlesource.com
> User-Agent: curl/7.50.3
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< content-type: text/html; charset=UTF-8
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: Mon, 01 Jan 1990 00:00:00 GMT
< date: Wed, 05 Oct 2016 10:26:25 GMT
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< server: GSE
< alt-svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
<
{ [1178 bytes data]
* Curl_http_done: called premature == 0
* Connection #0 to host go.googlesource.com left intact
## actual results using ca_root_nss-3.27
```
dch at wintermute /u/l/s/certs> sudo pkg upgrade
Updating skunkwerks repository catalogue...
skunkwerks repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (5 candidates): 80%
fish-2.2.0 is locked and may not be modified
Checking for upgrades (5 candidates): 100%
Processing candidates (5 candidates): 100%
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
ca_root_nss: 3.26 -> 3.27
Number of packages to be upgraded: 1
Proceed with this action? [y/N]: y
[1/1] Upgrading ca_root_nss from 3.26 to 3.27...
[1/1] Extracting ca_root_nss-3.27: 100%
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer
needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer
needed.
Message from ca_root_nss-3.27:
********************************* WARNING *********************************
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
*********************************** NOTE **********************************
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
* /etc/ssl/cert.pem
* /usr/local/etc/ssl/cert.pem
* /usr/local/openssl/cert.pem
***************************************************************************
dch at wintermute /u/l/s/certs> curl -vs https://go.googlesource.com/tools/ >
/dev/null
* Trying 2a00:1450:400c:c09::52...
* TCP_NODELAY set
* Connected to go.googlesource.com (2a00:1450:400c:c09::52) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3260 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
dch at wintermute /u/l/s/certs>
```
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list