GNU bug report logs - #31946
27.0.50; The NSM should warn about more TLS problems

Previous Next

Package: emacs;

Reported by: Lars Ingebrigtsen <larsi <at> gnus.org>

Date: Sat, 23 Jun 2018 10:39:02 UTC

Severity: normal

Tags: fixed, security

Found in version 27.0.50

Fixed in version 27.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Noam Postavsky <npostavs <at> gmail.com>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: 31946 <at> debbugs.gnu.org
Subject: bug#31946: 27.0.50; The NSM should warn about more TLS problems
Date: Tue, 03 Jul 2018 21:34:33 -0400

Lars Ingebrigtsen <larsi <at> gnus.org> writes:

> Hm...  this URL
>
> https://www.usps.com/business/web-tools-apis/welcome.htm
>
> now gives a warning about a SHA1 intermediary certificate, while
> Chromium and Firefox seems fine with it, so there may be a bug in the
> SHA1 check.  Haven't had time to debug.

According to the show certificate info in Firefox, it's the root
certificate which has SHA1.  Firefox shows both the issuer and subject
name as:

    CN = VeriSign Class 3 Public Primary Certification Authority - G5
    OU = "(c) 2006 VeriSign, Inc. - For authorized use only"
    OU = VeriSign Trust Network
    O = "VeriSign, Inc."
    C = US

But in Emacs, I'm getting this from gnutls_x509_crt_get_issuer_dn():

"C=US,O=VeriSign\\, Inc.,OU=Class 3 Public Primary Certification Authority"

and this from  gnutls_x509_crt_get_dn():

"C=US,O=VeriSign\\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5"

So gnutls is getting this non-matching issuer from somewhere, but it's
unclear to me where.
This bug report was last modified 5 years and 328 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.