View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002999||Kali Linux||[All Projects] Kali Package Bug||public||2016-01-18 17:03||2016-01-22 08:09|
|Target Version||Fixed in Version||2016.1|
|Summary||0002999: Kali 2.0 uses a version of libnss3 that is prone to using weaker/older SSL certificates in certain circumstances|
|Description||Kali 2.0 uses a version of libnss3 that is prone to using weaker/older certs, when navigating up the CA chain.|
One fairly obvious impact is that Google Chromium incorrectly displays the HTTPS symbol in red, rather than in green, since it uses the less secure SHA-1 based path, rather than the more secure SHA-2 based path, where multiple paths exist. This appears to be an issue where "cross-signed" roots are used, for instance. See https://sslmate.com/blog/post/chrome_cached_sha1_chains for more details.
The bug in question is present in nss_3.17.2-1.1+deb8u1, but is resolved in nss_3.17.2-1.1+deb8u2.
|Steps To Reproduce||#0: Verify "nss_3.17.2-1.1+deb8u1" is installed|
0000001: Install "chromium" package (I'm using "47.0.2526.80-1~deb8u1")
#2: Run Chromium
#3: Browse to a website which used a SHA-1 certificate in the CA chain, but which now uses a SHA-2 right up the chain (but where the original public key was re-signed with SHA-2, or where "cross-signing" is used).
0000004: Note if the "HTTPS" logo appears in red.
0000005: Using the same version of Chromium on Windows 7, note that the "HTTPS" logo appears in green, and there is no indication of SHA-1 in use.
|2016-01-18 17:03||ElColmo||New Issue|
|2016-01-22 08:09||rhertzog||Note Added: 0004534|
|2016-01-22 08:09||rhertzog||Status||new => resolved|
|2016-01-22 08:09||rhertzog||Fixed in Version||=> 2016.1|
|2016-01-22 08:09||rhertzog||Resolution||open => fixed|
|2016-01-22 08:09||rhertzog||Assigned To||=> rhertzog|