I use SSL Backlist 4.0 as a Firefox plugin. Today I received the above warning, after opening an open bug ticket. Please see the attached screenshot. I thought I should better let you know. As I am no expert in this issues please decide yourself if this is a minor problem or a security issue. Reproducible: Always Steps to Reproduce: 1. open Firefox 3.0.5 2. install SSL Backlist 4.0.30 3. open an open bug like https://bugs.gentoo.org/show_bug.cgi?id=gcc-4.3 Actual Results: Warning via SSL Blacklist 4.0 "certificate with MD5 RSA signature"
Created attachment 179792 [details] error message regarding bugs.gentoo.org md5 certificate
Not a Gentoo issue (as tracked in bug 223347); originates at CAcert. See <URL:http://blog.cacert.org/2009/01/356.html> or <URL:http://wiki.cacert.org/wiki/SecurityNotes> for details on this. If you like to, report the problem to the CAcert support, please.
*** Bug 263595 has been marked as a duplicate of this bug. ***
It might just finally be safe to close this now. Earlier today I hit an issue with the latest changes on firefox nightly that blocked 3rd-party MD5 as well, which rendered b.g.o inaccessible in entirety, gnutls-cli gave this output: https://gist.github.com/7e631ad1a7502322efd0 Paying attention to Certificate[2] info: subject `O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org', RSA key 4096 bits, signed using RSA-MD5 (broken!), activated `2005-10-14 07:36:55 UTC', expires `2033-03-28 07:36:55 UTC', SHA-1 fingerprint `db4c4269073fe9c2a37d890a5c1b18c4184e2a2d' After a bit of debugging on #gentoo-dev-help with marienz we got to the root ( heh ) of the cause and somebody updated b.g.o's cert to one with an RSA-SHA256 Class-3 Root cert. So it now looks like this: https://gist.github.com/6d5f63bdca3faf5bf0fd Now with an additional signature, Certificate[3] info, which supercedes the MD5 one somehow: subject `O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org', RSA key 4096 bits, signed using RSA-SHA256, activated `2011-05-23 17:48:02 UTC', expires `2021-05-20 17:48:02 UTC', SHA-1 fingerprint `ad7c3f64fc4439fef4e90be8f47c6cfa8aadfdce' And this hopefully will be the last of the MD5 issues.
kentfrederic, can you please run your same test with that new Firefox on the rest of our SSL sites? blogs.gentoo.org bugs.gentoo.org bugstest.gentoo.org council-webapp.gentoo.org forums.gentoo.org forumstest.gentoo.org overlays.gentoo.org piwik.gentoo.org recruiting.gentoo.org test.gentoo.org wiki.gentoo.org
(In reply to comment #5) > kentfrederic, can you please run your same test with that new Firefox on the > rest of our SSL sites? > > council-webapp.gentoo.org Can't seem to access this one at all for some reason. > bugstest.gentoo.org And this one appears to be working, asks me for login which I don't have, but that means SSL is working as far as I can tell. "The certificate expired on 05/10/11 05:28. The current time is 20/03/12 10:32." > forumstest.gentoo.org This is fine, apart from the cert is expired: "The certificate expired on 20/05/11 13:01. The current time is 20/03/12 10:30." All these ones look good to me though > blogs.gentoo.org > bugs.gentoo.org > forums.gentoo.org > overlays.gentoo.org > piwik.gentoo.org > recruiting.gentoo.org > test.gentoo.org > wiki.gentoo.org
*** Bug 451506 has been marked as a duplicate of this bug. ***
> blogs.gentoo.org good (DigiCert) > bugs.gentoo.org bad. both class 3 roots are offered, but gnutls complains about the MD5 one. I think both certificates are being sent as intermediates when only one should be, and removing the MD5 one should solve the issue. > bugstest.gentoo.org good (DigiCert), but it won't work on bug*.bugs.gentoo.org > council-webapp.gentoo.org *** Received alert [112]: The server name sent was not recognized - subject `C=US,ST=Oregon,L=Corvallis,O=Gentoo Linux,OU=Gentoo Infrastructure,CN=*.gentoo.org,EMAIL=infra-admin@gentoo.org', issuer `C=US,ST=Oregon,O=Gentoo Linux,OU=Gentoo Infrastructure,CN=Infra Admin,EMAIL=infra-admin@gentoo.org', RSA key 1024 bits, signed using RSA-SHA1, activated `2007-10-05 04:07:51 UTC', expires `2017-10-02 04:07:51 UTC', SHA-1 fingerprint `fe86f80604c3bdb99ea2589b96a59483d668dc17' - Status: The certificate is NOT trusted. The certificate issuer is unknown. > forums.gentoo.org good (DigiCert) > forumstest.gentoo.org good (DigiCert) > overlays.gentoo.org good (DigiCert) > piwik.gentoo.org good (DigiCert) > recruiting.gentoo.org *** Received alert [112]: The server name sent was not recognized - subject `C=US,ST=Oregon,L=Corvallis,O=Gentoo Linux,OU=Gentoo Infrastructure,CN=*.gentoo.org,EMAIL=infra-admin@gentoo.org', issuer `C=US,ST=Oregon,O=Gentoo Linux,OU=Gentoo Infrastructure,CN=Infra Admin,EMAIL=infra-admin@gentoo.org', RSA key 1024 bits, signed using RSA-SHA1, activated `2007-10-05 04:07:51 UTC', expires `2017-10-02 04:07:51 UTC', SHA-1 fingerprint `fe86f80604c3bdb99ea2589b96a59483d668dc17' - Status: The certificate is NOT trusted. The certificate issuer is unknown. > test.gentoo.org good (DigiCert) > wiki.gentoo.org good (DigiCert)
FIXED/INVALID, since bug 482870 was fixed.
