Joachim Breitner <[email protected]> writes: > Package: libgnutls26 > Version: 2.4.2-5 > Severity: important > > Hi Andreas, > > with your recent upload of gnults, this signature of a host with a > recently generated cacert signature is no longer valid: > > $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile > /etc/ssl/certs/ca-certificates.crt ... > - Peer's certificate is NOT trusted
CACert's intermediate certificate is signed using RSA-MD5, so it won't pass GnuTLS chain verification logic. I've improved the error message, so now the above command will print: - Peer's certificate chain uses insecure algorithm - Peer's certificate is NOT trusted As a workaround, add the --insecure parameter. We should probably consider to back-port Donald's logic to short-circuit chain verification as soon as you have a trusted cert: then you could chose to trust CACerts intermediate cert, and then there is no need to rely on RSA-MD5 to trust this chain. I'll test if the patch would help in your situation. /Simon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
