Launchpad itself

please stop providing root CAs in https certificate chain

Asked by Yves-Alexis Perez

Hi,

the TLS stack on the launchpad.net webserver is not behaving completely correctly. The certificate chain currently provided is as follow:

Certificate chain
 0 s:/OU=Domain Control Validated/CN=launchpad.net
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://<email address hidden>

There are two issues here, which are actually entangled:

- the server is not supposed to include the root CA in the certification chain, since the final validation step should be done against the included certificates. In that case, that'd be the ValiCert certificate. But actually the ValiCert root CA is beeing removed from NSS anyway since it's a 1024b root, and ca-certificates in Debian already removed it, so the validation fails
- the Go Daddy Class 2 Certification Authority is actually a root CA by itself, which is signed by another CA. NSS doesn't seem to actually care with that and will stop at Go Daddy CA if Valicert is not present, but openssl will go through the whole certificate chain

So, best fix seems to remove both Go Daddy Class 2 Certification Authority and ValiCert Class 2 Policy Validation certificates from the certificate chain. That should work fine on both NSS and openssl.

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
Yves-Alexis Perez
Solved:
Last query:
Last reply:
Revision history for this message
Yves-Alexis Perez (corsac) said : 		#1

Any news on this?

Revision history for this message
William Grant (wgrant) said : 		#2

I don't think OpenSSL's behaviour is completely correct either, as it should stop when it finds a trusted path. But we'll remove the ValiCert root certificate from the launchpad.net chain -- it should never have been there in the first place.

Revision history for this message
Yves-Alexis Perez (corsac) said : 		#3

Any idea of the timeframe it'll be removed? It actually somehow prevent me to use uscan to get stuff from launchpad, since it'll use wget. And disabling completely certificate verification doesn't actually look like a good idea :)

Revision history for this message
William Grant (wgrant) said : 		#4

It's high on our list of tickets, but I cannot give a specific timeframe. Unless OpenSSL gets fixed to trust short paths (eg. with the relatively recent X509_V_FLAG_TRUSTED_FIRST flag), you probably want to readd the old root locally.

Revision history for this message
Yves-Alexis Perez (corsac) said : 		#5

Well, that flag also needs to be supported by client application like wget. And re-adding a known weak root CAs doesn't look like the best solution either.

Thanks for the reply anyway.

Revision history for this message
Yves-Alexis Perez (corsac) said : 		#6

It seems the webserver configuration has been updated:

Certificate chain
 0 s:/OU=Domain Control Validated/CN=launchpad.net
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Thanks!