Hi Simon, Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson: > > Package: libgnutls26 > > Version: 2.4.2-5 > > Severity: important > > > > Hi Andreas, > > > > with your recent upload of gnults, this signature of a host with a > > recently generated cacert signature is no longer valid: > > > > $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile > > /etc/ssl/certs/ca-certificates.crt > ... > > - Peer's certificate is NOT trusted > > CACert's intermediate certificate is signed using RSA-MD5, so it won't > pass GnuTLS chain verification logic.
Ah, ok, that explains it of course. I didn’t spot any MD5 in the verbose output, so I thought this was unexpected behavior. > I've improved the error message, so now the above command will print: > > - Peer's certificate chain uses insecure algorithm > - Peer's certificate is NOT trusted Great, much better. > As a workaround, add the --insecure parameter. > > We should probably consider to back-port Donald's logic to short-circuit > chain verification as soon as you have a trusted cert: then you could > chose to trust CACerts intermediate cert, and then there is no need to > rely on RSA-MD5 to trust this chain. I'll test if the patch would help > in your situation. The error occured when using using subversion, and there I can just add the certificate directly to the trusted certificate ones, so from my PoV, there is no urgent need for this. It would be nice, though, especially if the intermediate certificate could be added to the ca-certificates package. Greetings and thanks for the quick answer, Joachim -- Joachim "nomeata" Breitner Debian Developer [email protected] | ICQ# 74513189 | GPG-Keyid: 4743206C JID: [email protected] | http://people.debian.org/~nomeata
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
