Your message dated Wed, 24 Oct 2012 15:12:57 +0800
with message-id <[email protected]>
and subject line Re: Bug#691213: ncl.edu.tw vs, gnutls
has caused the Debian Bug report #691213,
regarding ncl.edu.tw vs, gnutls
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
691213: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691213
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
X-debbugs-Cc: [email protected]
Package: libgnutls26
Version: 2.12.20-1

Dear gnutls maintainers, we might have found a bug.

Though I don't understand gnutls myself, I hope you can forward this bug
to whatever read origin it has. Thanks!


>>>>> "A" == Andrew M Bishop <[email protected]> writes:
A> Hi,

>> I guess there's no way to get to
>> http://www.ncl.edu.tw/
>> via WWWOFFLE.
>> 
>> https://sso.ncl.edu.tw/SSO-web/login?service=http://www.ncl.edu.tw/outurl.asp?iNCL=&gateway=
>> true;
>> 
>> failed because
>> 
>> Cannot secure the https (SSL) connection to sso.ncl.edu.tw port 443; 
>> [IO(gnutls): Key usage
>> violation in certificate has been detected.].
>> 
>> 
>> Other browsers don't even give any hint of a problem.

A> When I visit this site using Firefox (Iceweasel on Debian) and look at
A> the page info for the security information I see that the
A> sso.ncl.edu.tw certificate was issued by [a set of characters that my
A> browser cannot display] which itself was issued by the Taiwan
A> Government Root Certification Authority.  All of the certificates have
A> valid dates and Firefox reports no errors.


A> I notice that wget also isn't happy:

A> $ wget https://sso.ncl.edu.tw/SSO-web/login
A> --2012-10-22 11:01:42--  https://sso.ncl.edu.tw/SSO-web/login
A> Resolving sso.ncl.edu.tw (sso.ncl.edu.tw)... 192.83.186.234
A> Connecting to sso.ncl.edu.tw (sso.ncl.edu.tw)|192.83.186.234|:443... 
connected.
A> GnuTLS: Key usage violation in certificate has been detected.
A> Unable to establish SSL connection.


A> I can also use a gnutls tool to get the certificate from the server:

A> $ gnutls-cli -p 443 sso.ncl.edu.tw --print-cert 
A> Processed 150 CA certificate(s).
A> Resolving 'sso.ncl.edu.tw'...
A> Connecting to '192.83.186.234:443'...
A> |<1>| Note that the security level of the Diffie-Hellman key exchange has 
been lowered to 512 bits and this may allow decryption of the session data
A> - Peer's certificate is trusted
A> - The hostname in the certificate matches 'sso.ncl.edu.tw'.
A> *** Fatal error: Key usage violation in certificate has been detected.
A> - Certificate type: X.509
A> - Got a certificate list of 3 certificates.


A> By cutting and pasting the three certificates I get from this to a
A> file I can then try and verify the chain:

A> $ certtool --load-ca-certificate=/etc/ssl/certs/Taiwan_GRCA.pem --verify < 
sso.pem
A> Loaded 3 certificates, 1 CAs and 0 CRLs

A>         Subject: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè­ç®¡ç中å¿
A>         Issuer: C=TW,O=Government Root Certification Authority
A>         Checked against: C=TW,O=Government Root Certification Authority
A>         Output: Verified.

A>         Subject: 
C=TW,O=è¡æ¿é¢,OU=æè²é¨,OU=å家忤¨,CN=sso.ncl.edu.tw,serialNumber=0000000010015071
A>         Issuer: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè­ç®¡ç中å¿
A>         Checked against: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè­ç®¡ç中å¿
A>         Output: Verified.

A> Chain verification output: Verified.


A> Also if I take the second and third certificate from the gnutls-cli
A> output and put them in one file (called sso23.pem) and put the first
A> certificate into a file of its own (called sso1.pem) then they verify
A> OK:

A> $ certtool --load-ca-certificate=sso23.pem --verify < sso1.pem
A> Loaded 1 certificates, 2 CAs and 0 CRLs

A>         Subject: 
C=TW,O=è¡æ¿é¢,OU=æè²é¨,OU=å家忤¨,CN=sso.ncl.edu.tw,serialNumber=0000000010015071
A>         Issuer: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè­ç®¡ç中å¿
A>         Checked against: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè­ç®¡ç中å¿
A>         Output: Verified.

A> Chain verification output: Verified.



A> So, in conclusion, I don't know what is going on.  WWWOFFLE is doing
A> the same thing as wget and gnutls-cli and all three are complaining.
A> On the other hand when trying the certificates from gnutls-cli
A> manually against a known good Taiwan GRCA or checking the three parts
A> of the output of gnutls-cli against each other it works.

A> It could be a gnutls bug; if you send them a bug report using their
A> own tools (gnutls-cli and certtool) then they can verify it themselves
A> and perhaps explain how one method fails but others work.

A> -- 
A> Andrew.
A> ----------------------------------------------------------------------
A> Andrew M. Bishop                             [email protected]
A>                                       http://www.gedanken.demon.co.uk/

A> WWWOFFLE homepage:           http://www.gedanken.demon.co.uk/wwwoffle/

--- End Message ---
--- Begin Message ---
OK closing.

--- End Message ---

Reply via email to