[Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

Yves-Alexis Perez corsac at debian.org
Sun Sep 4 15:35:16 UTC 2011


On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > Looking at the patches, this really is:
> [...]
> 
> Ok, with the patches we got NSS covered, but we still need to do something for 
> other users.
> 
> A first look at stuff we ship, this seems to be their current status:
> * NSS:
> ice* packages should be okay after the latest NSS update.

For other NSS users I guess they're ok? I've just checked in evolution
certificate store and there's no DigiNotar one, though I don't know if
evolution would prevent connection to an imap/pop/smtp server with a
relevant certificate.

evolution uses gnutls for calendars (since it's http/https) and so is
protected through ca-certificates afaict?

> 
> * OpenSSL
> Nothing special here
> 
> * GnuTLS
> Nothing special here
> 
> * chromium:
> Even after the NSS update, it seems to be happy to use the Explicitly 
> Distrusted certs.

I've tried the tree websites given on this bug report but I don't know
if they still make sense:

https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!) but
as the redirect isn't prevented I guess chromium is ok with the
certificate.

https://sha2.diginotar.nl/ succeeds, chain of certification is:

CN = sha2.diginotar.nl
CN = DigiNotar PKIoverheid CA Organisatie - G2
CN = Staat der Nederlanden Organisatie CA - G2
CN = Staat der Nederlanden Root CA - G2 (chromium builtin).


Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110904/b691becb/attachment.pgp>


More information about the Pkg-openssl-devel mailing list