[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Changed in: ubuntuone-storage-protocol (Ubuntu Precise) Status: Fix Committed => Won't Fix ** Changed in: ubuntuone-storage-protocol Status: Fix Committed => Fix Released ** Changed in: ubuntuone-storage-protocol/stable-13-10 Status: Fix Committed => Fix Released ** Changed in: ubuntuone-storage-protocol/stable-3-0 Status: Fix Committed => Fix Released ** Changed in: ubuntuone-storage-protocol (Ubuntu Precise) Assignee: Rodney Dawes (dobey) => (unassigned) ** Changed in: ubuntuone-storage-protocol (Ubuntu Saucy) Assignee: Rodney Dawes (dobey) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Description changed: The client should load all available certificates instead of the - UbuntuOne*.pem ones. + UbuntuOne*.pem ones. [Impact] - This is needed as the server will change the certificates due to the recent SSL bug and it will not verify against the current loaded CA certificates. This change will be future-proof against any other changes to the certificate chain. - [Regression potential] - The use of all available certificates in the system certificate store, instead of a select few, increases the risk of a MITM attack by way of a weakest-link CA. However, many other packages use /etc/ssl/certs as their certificate store, so this problem would not be specific to UbuntuOne and it would be a critical security problem if any of the listed CAs were compromised. + This is needed as the server will change the certificates due to the + recent SSL bug and it will not verify against the current loaded CA + certificates. This change will be future-proof against any other + changes to the certificate chain. - [Test case] + [Test Case] + + A small protocol client is attached that connects and pings the server. + + In order to test it, we have the new certificates (with the chain, etc) + at staging: + + from the root of the branch: + + PYTHONPATH=. python2.7 ping_client.py staging + + or with the package installed: + + python2.7 ping_client.py staging + + [Regression Potential] + + The use of all available certificates in the system certificate store, + instead of a select few, increases the risk of a MITM attack by way of a + weakest-link CA. However, many other packages use /etc/ssl/certs as + their certificate store, so this problem would not be specific to + UbuntuOne and it would be a critical security problem if any of the + listed CAs were compromised. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
Please add a test case for verification -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix". ** Changed in: ubuntuone-storage-protocol (Ubuntu Saucy) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Branch linked: lp:ubuntu/precise-proposed/ubuntuone-storage-protocol ** Branch linked: lp:ubuntu/saucy-proposed/ubuntuone-storage-protocol -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
Hello Guillermo, or anyone else affected, Accepted ubuntuone-storage-protocol into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source /ubuntuone-storage-protocol/3.0.2-0ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: ubuntuone-storage-protocol (Ubuntu Saucy) Status: In Progress => Fix Committed ** Changed in: ubuntuone-storage-protocol (Ubuntu Precise) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Changed in: ubuntuone-storage-protocol (Ubuntu Precise) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
Hi Steve, Apologize the delay. I attached a small protocol client that connects and ping the server. In order to test it, we have the new certificates (with the chain, etc) at staging: from the root of the branch: PYTHONPATH=. python2.7 ping_client.py staging or with the package installed: python2.7 ping_client.py staging ** Attachment added: "test client" https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+attachment/4111503/+files/ping_client.py -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
Hi folks, I've filled out the SRU template for this bug as best I can based on the package in the queue. However, I don't consider the test case included in the source to be sufficient; the test case merely duplicates the code in the get_certificates() call itself, but does not prove that loading the certificates in this way will work with either the current production certificate, or the future replacement certificate. Could someone please provide an appropriate test for this? (Does not have to be an automated test in python - a text "how to test" in the bug description is sufficient.) ** Description changed: The client should load all available certificates instead of the UbuntuOne*.pem ones. - This is needed as the server will change the certificates due to the - recent SSL bug and it will not verify against the current loaded CA - certificates. + [Impact] + This is needed as the server will change the certificates due to the recent SSL bug and it will not verify against the current loaded CA certificates. This change will be future-proof against any other changes to the certificate chain. + + [Regression potential] + The use of all available certificates in the system certificate store, instead of a select few, increases the risk of a MITM attack by way of a weakest-link CA. However, many other packages use /etc/ssl/certs as their certificate store, so this problem would not be specific to UbuntuOne and it would be a critical security problem if any of the listed CAs were compromised. + + [Test case] ** Changed in: ubuntuone-storage-protocol (Ubuntu Precise) Status: In Progress => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Changed in: ubuntuone-storage-protocol Status: In Progress => Fix Committed ** Changed in: ubuntuone-storage-protocol/stable-3-0 Status: In Progress => Fix Committed ** Changed in: ubuntuone-storage-protocol/stable-13-10 Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Changed in: ubuntuone-storage-protocol/stable-3-0 Status: New => In Progress ** Changed in: ubuntuone-storage-protocol/stable-13-10 Status: New => In Progress ** Changed in: ubuntuone-storage-protocol Status: New => In Progress ** Changed in: ubuntuone-storage-protocol Assignee: (unassigned) => Guillermo Gonzalez (verterok) ** Changed in: ubuntuone-storage-protocol/stable-13-10 Assignee: (unassigned) => Guillermo Gonzalez (verterok) ** Changed in: ubuntuone-storage-protocol/stable-3-0 Assignee: (unassigned) => Guillermo Gonzalez (verterok) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Changed in: ubuntuone-storage-protocol (Ubuntu Saucy) Importance: Undecided => Critical ** Changed in: ubuntuone-storage-protocol (Ubuntu Precise) Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Branch linked: lp:~verterok/ubuntuone-storage-protocol/load-all- available-certs -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1307549] Re: Should load all available CA Certificates and not just the u1 bundled/shipped ones
** Also affects: ubuntuone-storage-protocol (Ubuntu) Importance: Undecided Status: New ** Also affects: ubuntuone-storage-protocol (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: ubuntuone-storage-protocol (Ubuntu Saucy) Importance: Undecided Status: New ** Changed in: ubuntuone-storage-protocol (Ubuntu) Status: New => Invalid ** Changed in: ubuntuone-storage-protocol (Ubuntu Precise) Status: New => In Progress ** Changed in: ubuntuone-storage-protocol (Ubuntu Saucy) Status: New => In Progress ** Changed in: ubuntuone-storage-protocol (Ubuntu Saucy) Assignee: (unassigned) => Rodney Dawes (dobey) ** Changed in: ubuntuone-storage-protocol (Ubuntu Precise) Assignee: (unassigned) => Rodney Dawes (dobey) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1307549 Title: Should load all available CA Certificates and not just the u1 bundled/shipped ones To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntuone-storage-protocol/+bug/1307549/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
