Your message dated Sun, 1 Oct 2017 18:02:33 +0200
with message-id <[email protected]>
and subject line Re: Bug#691864: libgnutls28: gnutls does not sort certificate
chain to be verified
has caused the Debian Bug report #691864,
regarding please allow mis-ordered certificate chains
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
691864: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691864
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgnutls28
Version: 3.0.22-2
Severity: important
In gnutls 3.1 it is possible to verify authenticity of server that
supplies certificate chain which is not sorted.
eg. server has certificate S which is signed by intermediate I which is
signed by CA root R. The server supplies chain S R I which is verified
by gnutls 3.1 but not 3.0. Such servers exist in the wild so this is
clearly an interoporebility issue.
In gnutls 3.1.3 GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN flag is available and
defaults to on. When this flag is set such chain is verified without
issues.
Thanks
Michal
-- System Information:
Debian Release: 6.0.6
APT prefers stable
APT policy: (990, 'stable'), (500, 'testing'), (400, 'unstable'), (200,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgnutls28 depends on:
ii libc6 2.13-35 Embedded GNU C Library: Shared lib
ii libgmp10 2:5.0.5+dfsg-2 Multiprecision arithmetic library
ii libhogweed2 2.5-1 low level cryptographic library (p
ii libnettle4 2.5-1 low level cryptographic library (s
ii libp11-kit0 0.12-3 Library for loading and coordinati
ii libtasn1-3 2.14-2 Manage ASN.1 structures (runtime)
ii multiarch-support 2.13-35 Transitional package to ensure mul
ii zlib1g 1:1.2.7.dfsg-13 compression library - runtime
libgnutls28 recommends no packages.
Versions of packages libgnutls28 suggests:
ii gnutls-bin 3.1.3-1 GNU TLS library - commandline util
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 3.1.3-1
On 2012-10-30 Michal Suchanek <[email protected]> wrote:
> Package: libgnutls28
> Version: 3.0.22-2
> Severity: important
> In gnutls 3.1 it is possible to verify authenticity of server that
> supplies certificate chain which is not sorted.
> eg. server has certificate S which is signed by intermediate I which is
> signed by CA root R. The server supplies chain S R I which is verified
> by gnutls 3.1 but not 3.0. Such servers exist in the wild so this is
> clearly an interoporebility issue.
> In gnutls 3.1.3 GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN flag is available and
> defaults to on. When this flag is set such chain is verified without
> issues.
Properly marking closed in 3.1.3-1.
--- End Message ---
