On Thursday 08 September 2011 16:57:56 Kurt Roeckx wrote:
> On Wed, Sep 07, 2011 at 10:06:55PM -0500, Raphael Geissert wrote:
> > The patch for 0.9.8 is also attached, but I haven't tested it yet. It was
> > made based on squeeze's openssl and it seems to apply fine to lenny's
> > openssl (just a f
On Wed, Sep 07, 2011 at 10:06:55PM -0500, Raphael Geissert wrote:
> On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote:
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > So you're basicly saying that X509_verify_cert() should give an
> > > error in case it finds DigiNota
On Wednesday 07 September 2011 22:06:55 Raphael Geissert wrote:
> On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote:
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > So you're basicly saying that X509_verify_cert() should give an
> > > error in case it finds DigiNotar
On Tuesday 06 September 2011 08:19:27 Mike Hommey wrote:
> On Tue, Sep 06, 2011 at 03:03:27PM +0200, Giuseppe Iuculano wrote:
> > On 09/04/2011 09:20 PM, Raphael Geissert wrote:
> > > Giuseppe, do you already have plans for updating chromium? (more info
> > > on the CCed bug.)
> >
> > chromium use
On Wednesday 07 September 2011 11:23:18 Kurt Roeckx wrote:
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote:
> > > > The only currently supported methods are OCSP and CRL, but none would
> > > > do the trick in this c
On Wed, Sep 07, 2011 at 06:23:18PM +0200, Kurt Roeckx wrote:
> On Wed, Sep 07, 2011 at 10:57:51AM -0500, Raphael Geissert wrote:
> > [Kurt, please CC me on your replies. The BTS' -subscribe functionality
> > doesn't
> > seem to be working]
> > [CC'ing ubuntu sec, in case Kees or Jamie or whoever
On Wed, Sep 07, 2011 at 10:57:51AM -0500, Raphael Geissert wrote:
> [Kurt, please CC me on your replies. The BTS' -subscribe functionality
> doesn't
> seem to be working]
> [CC'ing ubuntu sec, in case Kees or Jamie or whoever is taking care of the
> issue is also working on something to complete
[Kurt, please CC me on your replies. The BTS' -subscribe functionality doesn't
seem to be working]
[CC'ing ubuntu sec, in case Kees or Jamie or whoever is taking care of the
issue is also working on something to completely block DigiNotar]
On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
On Tue, Sep 06, 2011 at 03:03:27PM +0200, Giuseppe Iuculano wrote:
> Hi,
>
> On 09/04/2011 09:20 PM, Raphael Geissert wrote:
> > NSS now ships modified certs of DigiNotar, their name is "Explicitly
> > Disabled
> > DigiNotar "
> > In chromium, for example, if you browse a DigiNotar-signed websit
Hi,
On 09/04/2011 09:20 PM, Raphael Geissert wrote:
> NSS now ships modified certs of DigiNotar, their name is "Explicitly Disabled
> DigiNotar "
> In chromium, for example, if you browse a DigiNotar-signed website and check
> the certificate chain you will see the Explicitly Disabled cert there
On mar., 2011-09-06 at 07:33 +0200, Mike Hommey wrote:
> On Mon, Sep 05, 2011 at 09:55:50PM +0200, Kurt Roeckx wrote:
> > On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote:
> > > On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote:
> > > > On Sun, Sep 04, 2011 at 12:02:48PM +0200,
On Mon, Sep 05, 2011 at 09:55:50PM +0200, Kurt Roeckx wrote:
> On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote:
> > On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote:
> > > On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote:
> > > > Their is also openssl-blacklist, bu
On Mon, Sep 05, 2011 at 02:15:31PM -0500, Raphael Geissert wrote:
> On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote:
> > On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote:
> > > Their is also openssl-blacklist, but it doesn't seem to have
> > > much users.
>
> However, opensl-blac
On Sunday 04 September 2011 05:55:27 Kurt Roeckx wrote:
> On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote:
> > Their is also openssl-blacklist, but it doesn't seem to have
> > much users.
However, opensl-blacklist only includes a program that checks wether a
certificate is weak, nothi
On Tuesday 30 August 2011 12:29:23 Raphael Geissert wrote:
> AFAIR they only know about CRL (Certificate Revocation List,) which only
> allows for one issuer per-file.
>
> What I can't tell for sure from the documentation is whether OpenSSL and
> GnuTLS do check the CRL's validity (signature and t
On Sunday 04 September 2011 13:54:29 Yves-Alexis Perez wrote:
> On dim., 2011-09-04 at 13:34 -0500, Raphael Geissert wrote:
> > On Sunday 04 September 2011 10:35:16 Yves-Alexis Perez wrote:
> > > For other NSS users I guess they're ok? I've just checked in evolution
> > > certificate store and ther
On dim., 2011-09-04 at 13:34 -0500, Raphael Geissert wrote:
> [Dropping CC on openssl maintainers, to reduce noise]
>
> On Sunday 04 September 2011 10:35:16 Yves-Alexis Perez wrote:
> > On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
> > > On Saturday 03 September 2011 01:45:22 Mike Ho
[Dropping CC on openssl maintainers, to reduce noise]
On Sunday 04 September 2011 10:35:16 Yves-Alexis Perez wrote:
> On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
> > On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > > Looking at the patches, this really is:
> > [...]
>
On Sunday 04 September 2011 02:34:13 Mike Hommey wrote:
> On Sun, Sep 04, 2011 at 01:37:19AM -0500, Raphael Geissert wrote:
> > * Qt:
> > Qt4 has built-in support for SSL via OpenSSL.
> > Qt 4.7 (wheezey+) uses certs from /etc/ssl
> > Qt 4.6 and older (lenny, squeeze) uses its own bundled list of c
On 09/04/2011 10:35 AM, Yves-Alexis Perez wrote:
> On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
>> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
>>> Looking at the patches, this really is:
>> [...]
>>
>> Ok, with the patches we got NSS covered, but we still need to do
>>
On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > Looking at the patches, this really is:
> [...]
>
> Ok, with the patches we got NSS covered, but we still need to do something
> for
> other users.
>
> A first look at stu
On Sun, Sep 04, 2011 at 12:02:48PM +0200, Kurt Roeckx wrote:
> On Sun, Sep 04, 2011 at 01:37:19AM -0500, Raphael Geissert wrote:
> >
> > Seems like it would be better if we also handled the issue at the libssl
> > level. OpenSSL maintainers: does that sound doable?
>
> I'm not sure what you mean
On Sun, Sep 04, 2011 at 01:37:19AM -0500, Raphael Geissert wrote:
>
> Seems like it would be better if we also handled the issue at the libssl
> level. OpenSSL maintainers: does that sound doable?
I'm not sure what you mean. We don't provide any certificates,
you need to tell openssl which cert
On Sun, Sep 04, 2011 at 01:37:19AM -0500, Raphael Geissert wrote:
> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > Looking at the patches, this really is:
> [...]
>
> Ok, with the patches we got NSS covered, but we still need to do something
> for
> other users.
>
> A first look
On Sun, Sep 04, 2011 at 01:37:19AM -0500, Raphael Geissert wrote:
> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > Looking at the patches, this really is:
> [...]
>
> Ok, with the patches we got NSS covered, but we still need to do something
> for
> other users.
>
> A first look
On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> Looking at the patches, this really is:
[...]
Ok, with the patches we got NSS covered, but we still need to do something for
other users.
A first look at stuff we ship, this seems to be their current status:
* NSS:
ice* packages should
On Sat, Sep 03, 2011 at 08:45:22AM +0200, Mike Hommey wrote:
> On Sat, Sep 03, 2011 at 07:40:23AM +0200, Mike Hommey wrote:
> > On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> > > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> > > > On Wed, Aug 31, 2011 at 06:26:26AM +0
On Sat, Sep 03, 2011 at 07:40:23AM +0200, Mike Hommey wrote:
> On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> > > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > > > So, I'll put that on tiredness. That'
On Sat, Sep 03, 2011 at 07:40:23AM +0200, Mike Hommey wrote:
> On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> > > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > > > So, I'll put that on tiredness. That'
On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > > So, I'll put that on tiredness. That'd be several fraudulent
> > > certificates which fingerprint is unkno
On Thu, Sep 01, 2011 at 11:37:41PM -0500, Raphael Geissert wrote:
> On Thursday 01 September 2011 17:47:57 Mike Hommey wrote:
> > On Thu, Sep 01, 2011 at 02:06:39PM -0500, Raphael Geissert wrote:
> > > Unless other certificates were signed with another CA, at least the
> > > *.google.com one should
On Thursday 01 September 2011 17:47:57 Mike Hommey wrote:
> On Thu, Sep 01, 2011 at 02:06:39PM -0500, Raphael Geissert wrote:
> > Unless other certificates were signed with another CA, at least the
> > *.google.com one should fail now. The chain of the the public
> > *.google.com cert is:
> >
> >
On Thu, Sep 01, 2011 at 02:06:39PM -0500, Raphael Geissert wrote:
> On Thursday 01 September 2011 01:37:01 Mike Hommey wrote:
> > On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> > Well, reality is that the Firefox 6.0.1 release, which has a white least
> > for Staat der Nederlan
On Thursday 01 September 2011 01:37:01 Mike Hommey wrote:
> On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> Well, reality is that the Firefox 6.0.1 release, which has a white least
> for Staat der Nederlanden Root CA but not Staat der Nederlanden Root CA
> - G2, effectively prev
On Thu, Sep 01, 2011 at 08:37:01AM +0200, Mike Hommey wrote:
> On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> > > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > > > So, I'll put that on tiredness. That'
On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > > So, I'll put that on tiredness. That'd be several fraudulent
> > > certificates which fingerprint is unkno
On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > So, I'll put that on tiredness. That'd be several fraudulent
> > certificates which fingerprint is unknown (thus even CRL, OCSP and
> > blacklists can't do anything), and the mit
On Tue, Aug 30, 2011 at 10:49:04PM -0500, Raphael Geissert wrote:
> On Tuesday 30 August 2011 15:48:11 Mike Hommey wrote:
> > On Tue, Aug 30, 2011 at 09:58:18PM +0200, Yves-Alexis Perez wrote:
> > > On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote:
> > > > What I can't tell for sure from
On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> On Tue, Aug 30, 2011 at 10:48:11PM +0200, Mike Hommey wrote:
> > On Tue, Aug 30, 2011 at 09:58:18PM +0200, Yves-Alexis Perez wrote:
> > > On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote:
> > > > On Tuesday 30 August 2011 01:0
On Tue, Aug 30, 2011 at 10:48:11PM +0200, Mike Hommey wrote:
> On Tue, Aug 30, 2011 at 09:58:18PM +0200, Yves-Alexis Perez wrote:
> > On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote:
> > > On Tuesday 30 August 2011 01:08:29 Yves-Alexis Perez wrote:
> > > > On lun., 2011-08-29 at 20:24 -0
On Tuesday 30 August 2011 15:48:11 Mike Hommey wrote:
> On Tue, Aug 30, 2011 at 09:58:18PM +0200, Yves-Alexis Perez wrote:
> > On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote:
> > > What I can't tell for sure from the documentation is whether OpenSSL
> > > and GnuTLS do check the CRL's v
On mar., 2011-08-30 at 22:48 +0200, Mike Hommey wrote:
>
> 1. Several fraudulent certificates whose fingerprint is unknown signed
> with several different intermediate certs that are cross-signed by other
> "safe" CAs (aiui).
I missed that. What is the source for that? (i looked at the mozilla b
On Tue, Aug 30, 2011 at 09:58:18PM +0200, Yves-Alexis Perez wrote:
> On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote:
> > On Tuesday 30 August 2011 01:08:29 Yves-Alexis Perez wrote:
> > > On lun., 2011-08-29 at 20:24 -0700, Josh Triplett wrote:
> > > > I understand that they'd have to ma
On mar., 2011-08-30 at 12:29 -0500, Raphael Geissert wrote:
> On Tuesday 30 August 2011 01:08:29 Yves-Alexis Perez wrote:
> > On lun., 2011-08-29 at 20:24 -0700, Josh Triplett wrote:
> > > I understand that they'd have to manually load the lists, but perhaps it
> > > would make sense to standardize
On Tuesday 30 August 2011 01:08:29 Yves-Alexis Perez wrote:
> On lun., 2011-08-29 at 20:24 -0700, Josh Triplett wrote:
> > I understand that they'd have to manually load the lists, but perhaps it
> > would make sense to standardize a location from which they should load
> > them? Does OpenSSL or G
On lun., 2011-08-29 at 20:24 -0700, Josh Triplett wrote:
> On Mon, Aug 29, 2011 at 08:32:40PM -0500, Raphael Geissert wrote:
> > On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> > > Does OpenSSL not have any facility for a system-wide revocation
> list?
> >
> > No, I already checked that b
On Mon, Aug 29, 2011 at 08:32:40PM -0500, Raphael Geissert wrote:
> On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> > Does OpenSSL not have any facility for a system-wide revocation list?
>
> No, I already checked that back when the Comodo hack occurred.
> Every application needs to manua
On Monday 29 August 2011 20:19:11 Josh Triplett wrote:
> Does OpenSSL not have any facility for a system-wide revocation list?
No, I already checked that back when the Comodo hack occurred.
Every application needs to manually load the revocation lists, just like they
need to manually check the tr
On Mon, Aug 29, 2011 at 08:09:02PM -0500, Raphael Geissert wrote:
> On Monday 29 August 2011 16:03:57 Josh Triplett wrote:
> > Whatever resolution Mozilla and others end up with (revocation of the
> > certificate or of the entire CA), ca-certificates will likely need to
> > do the same.
>
> FWIW,
On Monday 29 August 2011 16:03:57 Josh Triplett wrote:
> Whatever resolution Mozilla and others end up with (revocation of the
> certificate or of the entire CA), ca-certificates will likely need to
> do the same.
FWIW, individual certificates can't be "revoked" in ca-certificates.
Shipping revoca
Package: ca-certificates
Version: 20110502
Severity: critical
Tags: security
Please see the following:
https://bugzilla.mozilla.org/show_bug.cgi?id=682956
http://pastebin.com/ff7Yg663
http://pastebin.com/SwCZqskV
(or just search current news for "DigiNotar", optionally in conjunction
with "gmail"
51 matches
Mail list logo
