Hi Marcelo, On Fri, 26 Aug 2016 10:30:51 -0400 "marcelomen...@gmail.com" <marcelomen...@gmail.com> wrote: > 2016-08-25 13:25 GMT-04:00 Andreas Metzler <ametz...@bebt.de>: > > On 2016-08-24 "marcelomen...@gmail.com" <marcelomen...@gmail.com> > > wrote: > >> Package: libgnutls30 > >> Version: 3.5.3-2 > >> Severity: important > >> Tags: upstream > > > >> Dear Maintainer, > > > >> Trying to git clone a github repo using libgnutls30 3.5.3-2 throw > >> the following error: > > > >> fatal: unable to access 'https://github.com/xxx/yyy/': > >> gnutls_handshake() failed: Public key signature verification has > >> failed. > > > >> Same happens for curl: > > > >> curl https://duckduckgo.com > >> curl: (35) gnutls_handshake() failed: Public key signature > >> verification has failed. > > > > Hello, > > Are you able to reproduce either of these errors with gnutls-cli? > > First, let me say I'm behind a proxy server.
Does the proxy happen to intercept TLS, i.e. is it a local CA and creates certificates on demand, which might fail the verification? Perhaps you could get a pcap with tcpdump of the connection(s) from curl to the proxy? tcpdump -i eno1 -w curl-to-proxy.pcap 'host <proxy-ip> and port <proxy-port>' > Both versions of gnutls-bin (3.5.3-3 and the old 3.5.2-3) have the > same behavior: > > gnutls-cli -V --port 443 duckduckgo.com > Processed 173 CA certificate(s). > Resolving 'duckduckgo.com:443'... > Connecting to '107.21.1.61:443'... > Connecting to '184.72.106.52:443'... > Connecting to '184.72.115.86:443'... > > and stay there for some quit some time until I ctrl+c I don't think gnutls-cli supports a proxy directly; you'd probably have to use some LD_PRELOAD proxy wrapper (e.g. tsocks or similar).