Jonathan Nieder dixit: >> On the same system: >> >> $ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect >> alioth.debian.org:443 >[...] >> subject=/O=Debian/CN=alioth.debian.org/emailaddress=ad...@alioth.debian.org >> issuer=/O=Debian/CN=ca.debian.org/emailaddress=debian-ad...@debian.org >[...] >> So this is not a problem with the ca bundle. I think this is >> because it doesn't correctly validate the chain or something. >> Same on Lenny, FWIW. > >Debian git uses libcurl3-gnutls for HTTP support. Sadly I know almost >nothing about these things. With gnutls-bin installed,
Yeah, thought so. >- The hostname in the certificate matches '<host>' >- Peer's certificate issuer is unknown >- Peer's certificate is NOT trusted Interesting, as it should be trusted. Maybe GnuTLS has a problem with the certificate _chain_ involving an intermediate? >people elsewhere do) and when using GnuTLS backend (as Debian does for political >reasons)? bye, //mirabilos -- [...] if maybe ext3fs wasn't a better pick, or jfs, or maybe reiserfs, oh but what about xfs, and if only i had waited until reiser4 was ready... in the be- ginning, there was ffs, and in the middle, there was ffs, and at the end, there was still ffs, and the sys admins knew it was good. :) -- Ted Unangst über *fs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
