Package: libgnutls30 Version: 3.7.3-4+b1 Severity: normal Dear maintainers,
Recently ca-certificates 20211016 migrated to testing which included the following change: * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) As can be read here [1] Let's Encrypt certificates are signed by a certificate (1) that's signed by that blacklisted certificate. By now that intermediate certificate is wide spread as a trusted CA and indeed it's avaliable in Debian. However, since ca-certificates migrated, liferea, which uses libsoup which uses libgnutls30 fails to collect my rss feeds from ci.debian.net. This seems to only be a problem with libgnutls30, as firefox-esr and curl work just fine. (wget also uses libgnutls30 and fails). It seems that until ca-certificates migrated libgnutls30 just fell back to the expired certificate. Paul paul@mulciber ~ $ openssl x509 -in /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Validity Not Before: Jun 4 11:04:38 2015 GMT Not After : Jun 4 11:04:38 2035 GMT Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1 <cut here> paul@mulciber ~ $ gnutls-cli ci.debian.net Processed 127 CA certificate(s). Resolving 'ci.debian.net:443'... Connecting to '52.34.117.196:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=" Public Key ID: sha1:344bd3eb5105d3b830dd87f6f5e4435e8aacdf6d sha256:ad60bf96ef3f8a50d84279e45abf4950fdd3852ae9e4f8b4f211575afde1effa Public Key PIN: pin-sha256:rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o= - Certificate[1] info: - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=" - Certificate[2] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Certificate[3] info: - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.16.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libgnutls30 depends on: ii libc6 2.33-7 ii libgmp10 2:6.2.1+dfsg-3 ii libhogweed6 3.7.3-1 ii libidn2-0 2.3.2-2 ii libnettle8 3.7.3-1 ii libp11-kit0 0.24.0-6 ii libtasn1-6 4.18.0-4 ii libunistring2 1.0-1 libgnutls30 recommends no packages. Versions of packages libgnutls30 suggests: ii gnutls-bin 3.7.3-4+b1 -- no debconf information