Skip to content
This repository has been archived by the owner on Jul 4, 2023. It is now read-only.

problems with cert verification by openssl on 10.10.3 #38491

Closed
chdiza opened this issue Apr 9, 2015 · 18 comments
Closed

problems with cert verification by openssl on 10.10.3 #38491

chdiza opened this issue Apr 9, 2015 · 18 comments

Comments

@chdiza
Copy link
Contributor

chdiza commented Apr 9, 2015

I'm wondering if anyone else who has openssl brewed, and has 10.10.3 installed, is finding that programs bound to the brewed openssl are flaking out and spewing "cert verification failure" warnings.

I'm getting this, and it happened instantly after upgrading to 10.10.3.

Experiment showed it doesn't matter whether the openssl was brewed prior to upgrading to 10.10.3, or brewed after the upgrade.

@MikeMcQuaid
Copy link
Member

I've also seen this but I wrote it off as a random failure. @DomT4, mind digging in if you have a bit?

@DomT4
Copy link
Member

DomT4 commented Apr 9, 2015

Crap. This ain't pretty. Can you give me some URLs you tried so we're hitting the same targets in terms of judging what's reproducible consistently? I haven't hit it yet trying a few GNU URLs.

@DomT4
Copy link
Member

DomT4 commented Apr 9, 2015

They’ve removed the Equifax Secure CA from the Keychain.

@DomT4
Copy link
Member

DomT4 commented Apr 9, 2015

Just to check this fixes things for everyone else:

Open this in your browser and check I've given you a valid link and aren't trying to "pwn" you, then curl -O it: https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem

Stick it in HOMEBREW_PREFIX/etc/openssl/certs and do HOMEBREW_PREFIX/opt/openssl/bin/c_rehash and then do brew test --verbose wget.

@chdiza
Copy link
Contributor Author

chdiza commented Apr 9, 2015

Gmail via imap won't work for this reason.

At first I thought that maybe the system certs with 10.10.3, that get generated automatically when one brews openssl, were to blame. But then I poured the openssl bottle, which should have the certs from a 10.10.2 build, and the same problem exists.

I can also confirm this connection problem on three different machines, and on all of them the problem disappears upon booting back into 10.10.2.

@DomT4
Copy link
Member

DomT4 commented Apr 9, 2015

But then I poured the openssl bottle, which should have the certs from a 10.10.2 build, and the same problem exists.

I believe postinstall is always done on the machine, never via the bottle.

@chdiza
Copy link
Contributor Author

chdiza commented Apr 9, 2015

Workaround: Take the osx_cert.pem from a 10.10.2 brew of openssl and copy it to the relevant location on a 10.10.3 box. Solved the problem for me.

@chdiza
Copy link
Contributor Author

chdiza commented Apr 9, 2015

So is this a bug in 10.10.3?

@DomT4
Copy link
Member

DomT4 commented Apr 9, 2015

Looks like it. They've for some reason killed one of the most popular root certs on the planet from the Keychain. Add that one cert back, and everything rolls happiness again. I've kicked it to Apple. We may want to look at a workaround in the mean time.

@chdiza
Copy link
Contributor Author

chdiza commented Apr 9, 2015

Ye gods.

🍎 😡 👊

@DomT4
Copy link
Member

DomT4 commented Apr 9, 2015

Yeah, the missing Equifax root cert is being reported pretty widely this afternoon. Wish I'd just looked on Twitter before hunting around to find out myself now, would have saved time 😸. Impacts iOS 8.3 as well apparently, which is fun.

Apple did state they'd made certificate changes in this security update but they don't explain the missing Equifax and given how extremely prevalent it is IMO we don't have much choice but to put it back and wait for Apple to explain why and then decide where we go from there.

@DomT4
Copy link
Member

DomT4 commented Apr 9, 2015

PR #38495

@mistydemeo
Copy link
Member

The certificate in #38495, D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A, is a 1024-bit key that Mozilla is also removing. I'm guessing this was on purpose, and not an accident - in which case we should not work around it.

@DomT4
Copy link
Member

DomT4 commented Apr 9, 2015

The cert is old, and weak, and should die. But the breakage removal is causing is pretty major, and I get the feeling Homebrew's going to get shoved by issues along the lines of "Why did Homebrew break wget, put it back", which sucks. Problem is compounded by certs typically having long expiry dates and being expensive to replace prematurely, so there's this general lack of urgency in moving away from the old certs.

There's no happy solution here, and I'm generally thankful it's not my call to make. Whatever is decided, I have no moans on. If we do go ahead it'll need to be applied to LibreSSL as well.

@chdiza
Copy link
Contributor Author

chdiza commented Apr 9, 2015

Gmail is broken until this is fixed. Should I leave a bug report asking Google to stop requiring the cert in question?

@chdiza
Copy link
Contributor Author

chdiza commented Apr 9, 2015

Sorry for the spam, the github web interface went wonky.

@felixbuenemann
Copy link
Sponsor Contributor

I've had the same problem with rails-assets.org (see tenex/rails-assets#239) and fixed it by importing the popular curl ca bundle. I'm not sure why apple is dropping this root, because most warnings for sha1 signatures are only aimed at server certs and intermdiates, while sha1 roots are generally considered ok, because they are already in the key stores and their signature doesn't need to be verified. At least that's how ssllab's ranking for sha1 works.

@tdsmith
Copy link
Contributor

tdsmith commented Apr 10, 2015

I'm not sure why apple is dropping this root, because most warnings for sha1 signatures are only aimed at server certs and intermdiates

The key size is the issue, not the signing algorithm.

MikeMcQuaid pushed a commit that referenced this issue Apr 27, 2015
This *will* land in 1.0.2b, but it's a better solution than us
applying an old, outdated, weak Equifax cert till that point.

I've pinged OpenSSL to check I'm not being stupid to cherry-pick these
patches, but they should be fine - I pulled both related patches,
so it's not like we're being overly selective. I also asked whether
there was a release schedule for the 1.0.2b release with these fixes,
but I don't particularly expect to be given an answer given OpenSSL's
often (understandably) sensitive release schedule.

Fixes #38495
Fixes #38491

Upstream discussion:
https://www.mail-archive.com/openssl-dev@openssl.org/msg38674.html

Closes #38897.

Signed-off-by: Mike McQuaid <mike@mikemcquaid.com>
Noctem pushed a commit to Noctem/homebrew that referenced this issue May 2, 2015
This *will* land in 1.0.2b, but it's a better solution than us
applying an old, outdated, weak Equifax cert till that point.

I've pinged OpenSSL to check I'm not being stupid to cherry-pick these
patches, but they should be fine - I pulled both related patches,
so it's not like we're being overly selective. I also asked whether
there was a release schedule for the 1.0.2b release with these fixes,
but I don't particularly expect to be given an answer given OpenSSL's
often (understandably) sensitive release schedule.

Fixes Homebrew#38495
Fixes Homebrew#38491

Upstream discussion:
https://www.mail-archive.com/openssl-dev@openssl.org/msg38674.html

Closes Homebrew#38897.

Signed-off-by: Mike McQuaid <mike@mikemcquaid.com>
@Homebrew Homebrew locked and limited conversation to collaborators Jul 10, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants