expiring trust anchor compatibility issue

python3.5 has stopped passing its testsuite due to expried test certs. Thus upload of openssl has triggered regression in python3.5

I've cherrypicked updated test certs and keys, but to cherry-pick those cleanly, I also had to cherrypick an earlier bug fix. All of these are unmodified from 3.5.10 release. With these patches in place python3.5 testsuite passes with both current and proposed update of openssl.

PPA with these changes available from https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4594

ADT results at https://bileto.ubuntu.com/excuses/4594/xenial.html

I think the patch in comment #1 looks reasonable.

Assigning the verification and publication to xenial-security to myself. Thanks.

Hello Dimitri, or anyone else affected,

Accepted openssl into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.20 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted openssl (1.0.2g-1ubuntu4.20) for xenial have finished running.
The following regressions have been reported in tests triggered by the package:

psqlodbc/1:09.03.0300-1 (armhf)
ruby2.3/2.3.1-2~ubuntu16.04.16 (s390x)
python3.5/3.5.2-2ubuntu0~16.04.13 (i386, amd64, ppc64el, s390x, armhf, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/xenial/update_excuses.html#openssl

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Reproduced the bug with:

# dpkg-query -W libssl1.0.0 openssl
libssl1.0.0:amd64 1.0.2g-1ubuntu4.19
openssl 1.0.2g-1ubuntu4.19

# openssl s_client -connect expired-root-ca-test.germancoding.com:443 -servername expired-root-ca-test.germancoding.com -verify 1 -verifyCAfile ca.pem
verify depth is 1
CONNECTED(00000003)
depth=3 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
verify error:num=10:certificate has expired
notAfter=Jan 30 14:01:15 2021 GMT
140540576667288:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:

# upgrading

# dpkg-query -W libssl1.0.0 openssl
libssl1.0.0:amd64 1.0.2g-1ubuntu4.20
openssl 1.0.2g-1ubuntu4.20

# # openssl s_client -connect expired-root-ca-test.germancoding.com:443 -servername expired-root-ca-test.germancoding.com -verify 1 -verifyCAfile ca.pem
verify depth is 1
CONNECTED(00000003)
depth=2 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
verify return:1
depth=1 C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
verify return:1
depth=0 CN = expired-root-ca-test.germancoding.com
verify return:1
---
Certificate chain
 0 s:/CN=expired-root-ca-test.germancoding.com
   i:/C=US/O=(STAGING) Let's Encrypt/CN=(STAGING) Artificial Apricot R3
 1 s:/C=US/O=(STAGING) Let's Encrypt/CN=(STAGING) Artificial Apricot R3
   i:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1
 2 s:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Pretend Pear X1
   i:/C=US/O=(STAGING) Internet Security Research Group/CN=(STAGING) Doctored Durian Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGgTCCBWmgAwIBAgITAPqeXD5BcpT3tXI8aoDSYano7DANBgkqhkiG9w0BAQsF

....

connection is successful.

python3.5 ADT regression is in xenial-updates regression, because the test certificates it uses have expired.

Download of canonical.com with faketime 2021-10-01 also works.

ruby2.3 is not a regression on all other arches, not sure why s390x is the only "working" arch with failing test.

retried psqlodbc

psqlodbc confuses me, as if clusters fail to create. Seems unrelated to openssl changes.

The Ubuntu Security Team is okay with publishig the xenial openssl in proposed (1.0.2g-1ubuntu4.20) to xenial-security and updates. I didn't see any symbol changes or dependency changes in the binaries that would have indicated that building against xenial-updates was a problem.

Thanks!

This bug was fixed in the package openssl - 1.0.2g-1ubuntu4.20

---------------
openssl (1.0.2g-1ubuntu4.20) xenial-security; urgency=medium

  * Enable X509_V_FLAG_TRUSTED_FIRST by default, such that letsencrypt
    connection with the default chain remains trusted even after the
    expiry of the redundant CA certificate. LP: #1928989

 -- Dimitri John Ledkov <email address hidden> Mon, 28 Jun 2021 14:05:36 +0100

The verification of the Stable Release Update for openssl has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Attempted trusty backport, but failing at making it pass all the existing unit tests. Asking for help. At the moment it seems to me that trusty will remain unfixed.

Status changed to 'Confirmed' because the bug affects multiple users.

@xnox I'm working on an update for Debian Jessie (1.0.1t) as part of Debian ELTS.
I got one test suite failure in 'verify_extra_test' that I fixed by partially reverting https://github.com/openssl/openssl/commit/cb22d2ae5a5b6069dbf66dbcce07223ac15a16de (hence aligning the test with later OpenSSL versions).

Attached is my current debdiff, I'm open to exchanging code reviews :)

Note: for trusty the issue will be worked around by distrusting "DST Root CA X3", see https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481

Help!

I'm on Trusty and Launchpad PPAs no longer work for me!

sudo add-apt-repository ppa:oibaf/graphics-drivers

Cannot add PPA: '"Error reading https://launchpad.net/api/1.0/~oibaf/+archive/graphics-drivers: (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')"'.

What do I do? How do I fix this???

I think you want package updates from Ubuntu ESM, in particular ca-certificates 20190110~14.04.1~esm2.