Summary: | app-misc/ca-certificates: remove expired certificates? | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Daniel Neugebauer <energiequant> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sam, tomaszg |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=726650 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | emerge --info output |
Description
Daniel Neugebauer
2020-05-31 09:49:35 UTC
Created attachment 642868 [details]
emerge --info output
The breakage you are experiencing is around this certificate: https://crt.sh/?id=1 There is a writeup here: https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration TL;DR buggy clients fail to use the cross-signed cert that's valid. Gentoo ca-certificates tries to stay close to upstream, in this case Debian+NSS bundled together, and we'd like to keep it that way I feel. I do see an upstream discussion about the removal, so hopefully there is progress shortly. Debian has just published a new ca-certificates package which removes the AddTrust cert (+obsolete symantec certs), so re-syncing with upstream should do this. hanno: I think Debian screwed up their release. It's NOT on https://packages.debian.org/source/sid/ca-certificates yet (still shows 20190110). Some of the Debian mirrors DO have ca-certificates_20200601.tar.xz that I'm going to see about using anyway after verifying content. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=617b767f5022f81117e028e258d8b0e008594a31 commit 617b767f5022f81117e028e258d8b0e008594a31 Author: Robin H. Johnson <robbat2@gentoo.org> AuthorDate: 2020-06-02 16:48:35 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2020-06-02 17:13:18 +0000 app-misc/ca-certificates: bump Bump to unreleased latest Debian sources which haven't been formally announced but are available via the Debian git systems. Removes expired AddTrust External CA root causing problems with GnuTLS & OpenSSL 1.0. Closes: https://bugs.gentoo.org/726412 Bug: https://bugs.gentoo.org/show_bug.cgi?id=726650 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> app-misc/ca-certificates/Manifest | 1 + .../ca-certificates-20200601.3.53.ebuild | 192 +++++++++++++++++++++ 2 files changed, 193 insertions(+) Seems that this upgrade of ca-certificates broke some apps for me. Notably I noticed some Steam games having trouble connecting to their servers. I don't know which certificate is to blame for this (or how to check it). (In reply to Tomasz Golinski from comment #6) > Seems that this upgrade of ca-certificates broke some apps for me. Notably I > noticed some Steam games having trouble connecting to their servers. I don't > know which certificate is to blame for this (or how to check it). Can you open a new bug please? In terms of trying to trace it, forcing Steam to go via a MITMproxy and tcpdump/https dump of what's going on should be enough. Would need to compare behavior with old vs new ca-certificates present. At the very least, finding out what it's trying to connect to (hostname/IP, port, SNI or other TLS headers) |