ProHoster > Blog > internet news > Crashes in OpenBSD, DragonFly BSD and Electron due to outdated IdenTrust root certificate

Crashes in OpenBSD, DragonFly BSD and Electron due to outdated IdenTrust root certificate

The deprecation of the IdenTrust Root Certificate (DST Root CA X3) used to cross-sign the Let's Encrypt CA Root Certificate has resulted in issues with validating Let's Encrypt certificates in projects using older versions of OpenSSL and GnuTLS. Issues also affected the LibreSSL library, whose developers did not take into account past experience with failures that occurred after the Sectigo (Comodo) AddTrust root certificate became obsolete.

Recall that in releases of OpenSSL up to and including the 1.0.2 branch, and in GnuTLS up to release 3.6.14, there was a bug that prevented the correct processing of cross-signed certificates if one of the root certificates involved in the signing was outdated, even if other valid certificates were saved trust chains (in the case of Let's Encrypt, the aging of the IdenTrust root certificate does not allow verification, even if the system has support for its own Let's Encrypt root certificate, valid until 2030). The essence of the error is that the old versions of OpenSSL and GnuTLS parsed the certificate as a linear chain, while in accordance with RFC 4158 a certificate can represent a directed distributed cyclic graph with several trust anchors that must be taken into account.

As a workaround to fix the failure, it is proposed to remove the β€œDST Root CA X3” certificate from the system storage (/etc/ca-certificates.conf and /etc/ssl/certs), and then run the command β€œupdate-ca-certificates -f -v "). On CentOS and RHEL, you can blacklist the "DST Root CA X3" certificate: trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90 %75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem sudo update-ca-trust extract

Some of the crashes I've seen after IdenTrust's root certificate expired:

  • The syspatch utility used to install binary system updates has stopped working in OpenBSD. The OpenBSD project today released patches for the 6.8 and 6.9 branches on an emergency basis, fixing problems in LibreSSL with checking cross-signed certificates, one of the root certificates in the chain of trust for which has expired. As a workaround, it is recommended to switch from HTTPS to HTTP in /etc/installurl (this does not threaten security, since updates are additionally verified by digital signature) or select an alternative mirror (ftp.usa.openbsd.org, ftp.hostserver.de, cdn.openbsd.org). You can also remove the expired DST Root CA X3 root certificate from the /etc/ssl/cert.pem file.
  • DragonFly BSD has similar problems with DPorts. When launching the pkg package manager, a certificate verification error is issued. The fix has been added today to the master, DragonFly_RELEASE_6_0 and DragonFly_RELEASE_5_8 branches. As a workaround, you can remove the DST Root CA X3 certificate.
  • The process of verifying Let's Encrypt certificates in applications based on the Electron platform has been broken. The problem is fixed in updates 12.2.1, 13.5.1, 14.1.0, 15.1.0.
  • Some distributions have problems accessing package repositories when using the APT package manager linked with older versions of the GnuTLS library. Debian 9, which was using an unpatched GnuTLS package, was affected by the problem, causing problems when accessing deb.debian.org for users who did not install updates in time (the gnutls28-3.5.8-5+deb9u6 fix was proposed on September 17). As a workaround, it is recommended to remove DST_Root_CA_X3.crt from the /etc/ca-certificates.conf file.
  • The acme-client in the OPNsense firewall distribution is broken, the problem was reported in advance, but the developers did not have time to release a patch in time.
  • The problem affected the OpenSSL 1.0.2k package in RHEL/CentOS 7, but a week ago for RHEL 7 and CentOS 7 an update to the ca-certificates-2021.2.50-72.el7_9.noarch package was generated, from which the IdenTrust certificate was removed, i.e. the manifestation of the problem was blocked in advance. A similar update was published a week ago for Ubuntu 16.04, Ubuntu 14.04, Ubuntu 21.04, Ubuntu 20.04 and Ubuntu 18.04. Since the updates were released early, the problem with Let's Encrypt certificate validation only affected users of older branches of RHEL/CentOS and Ubuntu who do not regularly install updates.
  • Broken certificate verification process in grpc.
  • Crash while building Cloudflare Pages platform.
  • Problems in Amazon Web Services (AWS).
  • Database connection issues for DigitalOcean users.
  • Failure of the Netlify cloud platform.
  • Problems accessing Xero services.
  • An attempt to establish a TLS connection to the MailGun Web API failed.
  • Crashes in macOS and iOS versions (11, 13, 14), which theoretically should not have been affected by the problem.
  • Failure in Catchpoint services.
  • Certificate validation error while accessing PostMan API.
  • Guardian Firewall failure.
  • The monday.com support page is broken.
  • Cerb platform crash.
  • Failed to check uptime in Google Cloud Monitoring.
  • Issue with certificate validation in Cisco Umbrella Secure Web Gateway.
  • Problems connecting to Bluecoat and Palo Alto proxies.
  • OVHcloud is having trouble connecting to the OpenStack API.
  • Problems with report generation in Shopify.
  • There are issues when accessing the Heroku API.
  • Ledger Live Manager crashes.
  • Certificate validation error in Facebook app developer tools.
  • Problems in Sophos SG UTM.
  • Problems with checking certificates in cPanel.

Source: opennet.ru

Add a comment