[MacPorts] #42718: certsync fails to verify macports.org certificate
MacPorts
noreply at macports.org
Wed Mar 5 06:36:07 PST 2014
#42718: certsync fails to verify macports.org certificate
---------------------------+-----------------------
Reporter: ryandesign@… | Owner: landonf@…
Type: defect | Status: assigned
Priority: High | Milestone:
Component: ports | Version: 2.2.1
Resolution: | Keywords:
Port: certsync |
---------------------------+-----------------------
Comment (by raimue@…):
The valid "GlobalSign Root CA" is actually a re-signed certificate with a
longer lifetime using the same modulus/exponent from the older one that
expired end of January 2014. They both have the '''identical''' public
key.
After some more analysis, the curl-ca-bundle only contains the "GlobalSign
Root CA" certificate that is valid throughout 2028, while certsync
includes them both into the same bundle. It seems like OpenSSL cannot
handle the same certificate twice in a bundle.
''Side note: I will attach a small perl helper script which I used to
split the certificate bundle into the original certificates, so they can
be examined using `openssl x509 -text -noout -in <file>.pem`.''
With experiments I got it to work when switching the order of the
certificates, but it's not working again when adding another one. I guess
it's up to some hash algorithm which one gets used, so a different order
is not a reliable fix. It seems like the only fix would be to leave out
that expired certificate...
I see two solutions:
==== Don't export any expired certificate
Which means using this CA in a chain would be reported as "untrusted"
instead of "expired". That solves this immediate problem because the older
"GlobalSign Root CA" certificate is expired now. It might not work in
other cases.
This is relatively easy to accomplish as we only need to check the expiry
date against the current date.
==== Only export one valid/non-expired certificate per public key
This means certsync needs a special case to check for duplicates and
decide for the one with the later expiry date.
Needs a hash/dictionary with the key being the public key of the cert and
some more checking.
--
Ticket URL: <https://trac.macports.org/ticket/42718#comment:4>
MacPorts <http://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list