cURL
Haxx ad
libcurl
Mailing Lists

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[ curl-Bugs-3409348 ] Some DigiNotar certificates still accepted

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Wed, 14 Sep 2011 15:29:50 +0200

Bugs item #3409348, was opened at 2011-09-14 15:29
Message generated for change (Tracker Item Submitted) made by edolstra
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3409348&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: bad behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Eelco Dolstra (edolstra)
Assigned to: Daniel Stenberg (bagder)
Summary: Some DigiNotar certificates still accepted

Initial Comment:
Using the September 2, 2011 version of the CA bundle at http://curl.haxx.se/docs/caextract.html, curl still accepts some websites that have been signed by the compromised DigiNotar. Even though the DigiNotar root CAs were removed from the bundle, de "Staat der Nederlanden Root CA" (Dutch government root CA) is still in the bundle, which was used to sign various DigiNotar CAs.

An example is https://www.aivd.nl/ (Dutch secret service), which as of September 14 still uses a DigiNotar CA. This website is rejected by Firefox 6.0.2 and Chrome, but curl with the CA bundle still accepts it. The certificate chain is "Staat der Nederlanden Root CA" -> "Staat der Nederlanden Overheid CA" -> "DigiNotar PKIoverheid CA Overheid en Bedrijven" -> "www.aivd.nl".

Probably the CA bundle should explicitly blacklist the DigiNotar CAs (like Firefox has done), rather than merely remove them. The "Staat der Nederlanden" CAs should not be removed because they have not been compromised themselves. (Example: https://belastingbalie.eindhoven.nl/ should continue to work.)

See also the discussion at https://bugzilla.mozilla.org/show_bug.cgi?id=683449 and https://bugzilla.mozilla.org/show_bug.cgi?id=683261.

Curl output:

$ curl -v https://www.aivd.nl/
* About to connect() to www.aivd.nl port 443 (#0)
* Trying 62.112.230.143... connected
* Connected to www.aivd.nl (62.112.230.143) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=NL; O=Algemene Inlichtingen- en Veiligheidsdienst (2000000056); OU=IM; serialNumber=PK070001002339140; CN=www.aivd.nl
* start date: 2010-03-05 13:37:22 GMT
* expire date: 2013-03-05 13:37:22 GMT
* common name: www.aivd.nl (matched)
* issuer: C=NL; O=DigiNotar B.V.; CN=DigiNotar PKIoverheid CA Overheid en Bedrijven
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-unknown-linux-gnu) libcurl/7.21.0 OpenSSL/1.0.0d zlib/1.2.5 libssh2/1.2.6
> Host: www.aivd.nl
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Location: http://www.aivd.nl/
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Wed, 14 Sep 2011 13:16:00 GMT
< Content-Length: 142
< Age: 13
< X-Cache: HIT from asd1cc002.asp4all.nl
< Via: 1.1 asd1cc002.asp4all.nl:443 (squid)
< Connection: close
<
<head><title>Document Moved</title></head>
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
<body><h1>Object Moved</h1>This document may be found here</body>

$ curl --version
curl 7.21.0 (x86_64-unknown-linux-gnu) libcurl/7.21.0 OpenSSL/1.0.0d zlib/1.2.5 libssh2/1.2.6
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: IPv6 Largefile NTLM SSL libz

$ head -n 5 /etc/ssl/certs/ca-bundle.crt
##
## ca-bundle.crt -- Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Fri Sep 2 23:34:57 2011
##

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3409348&group_id=976
Received on 2011-09-14

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET