Joachim Breitner <[email protected]> writes: > Hi Simon, > > Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson: >> > Package: libgnutls26 >> > Version: 2.4.2-5 >> > Severity: important >> > >> > Hi Andreas, >> > >> > with your recent upload of gnults, this signature of a host with a >> > recently generated cacert signature is no longer valid: >> > >> > $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile >> > /etc/ssl/certs/ca-certificates.crt >> ... >> > - Peer's certificate is NOT trusted >> >> CACert's intermediate certificate is signed using RSA-MD5, so it won't >> pass GnuTLS chain verification logic. > > Ah, ok, that explains it of course. I didn’t spot any MD5 in the verbose > output, so I thought this was unexpected behavior.
Indeed. It seems gnutls-cli uses its own way to print certificate information. I think it should use the GnuTLS standard certificate formatting functions instead, and I'm looking into making that happen for GnuTLS 2.7.x. This will reduce duplicated code. >> As a workaround, add the --insecure parameter. >> >> We should probably consider to back-port Donald's logic to short-circuit >> chain verification as soon as you have a trusted cert: then you could >> chose to trust CACerts intermediate cert, and then there is no need to >> rely on RSA-MD5 to trust this chain. I'll test if the patch would help >> in your situation. > > The error occured when using using subversion, and there I can just add > the certificate directly to the trusted certificate ones, so from my > PoV, there is no urgent need for this. Ok. > It would be nice, though, especially if the intermediate certificate > could be added to the ca-certificates package. As far as I can tell, it is already present? j...@mocca:~/src/gnutls master$ dpkg -L ca-certificates|grep cacert\\.org /usr/share/ca-certificates/cacert.org /usr/share/ca-certificates/cacert.org/cacert.org.crt /usr/share/ca-certificates/cacert.org/root.crt /usr/share/ca-certificates/cacert.org/class3.crt j...@mocca:~/src/gnutls master$ However merely adding the intermediate certificate to your trusted certs won't help unless we back-port Donalds patch: right now GnuTLS will always validate the entire chain (which will fail here), even if you happen to trust some intermediate certs. /Simon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
