Andreas Metzler <[email protected]> writes: > On 2009-02-02 Simon Josefsson <[email protected]> wrote: >> Joachim Breitner <[email protected]> writes: >>> Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson: >>>>> Package: libgnutls26 >>>>> Version: 2.4.2-5 >>>>> Severity: important > >>>>> Hi Andreas, >>>>> with your recent upload of gnults, this signature of a host with a >>>>> recently generated cacert signature is no longer valid: > >>>>> $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile >>>>> /etc/ssl/certs/ca-certificates.crt >>>> ... >>>>> - Peer's certificate is NOT trusted > >>>> CACert's intermediate certificate is signed using RSA-MD5, so it won't >>>> pass GnuTLS chain verification logic. > [...] >>>> We should probably consider to back-port Donald's logic to short-circuit >>>> chain verification as soon as you have a trusted cert: then you could >>>> chose to trust CACerts intermediate cert, and then there is no need to >>>> rely on RSA-MD5 to trust this chain. I'll test if the patch would help >>>> in your situation. > > > Hello, > > I have just uploaded 2.4.2-6 (which is basically 2.4.3 without all the > changes from autogenerated files for easier review.) to unstable. This > should fix (workaround) your problem, since it makes t possible to > trust the intermediate cert.
Thanks. I can confirm that it solves the problem: j...@mocca:~$ LD_PRELOAD=/usr/lib/libgnutls.so /usr/bin/gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /usr/share/ca-certificates/cacert.org/root.crt ... - Peer's certificate is NOT trusted Which is correct since the chain contains a RSA-MD5 signature. (The better error message is not printed here though, that change was not back-ported.) Trying it again with the intermediate cert works fine: j...@mocca:~$ LD_PRELOAD=/usr/lib/libgnutls.so /usr/bin/gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /usr/share/ca-certificates/cacert.org/class3.crt ... - Peer's certificate is trusted So I think everything works as expected now. So, shouldn't this bug be marked as fixed with 2.4.2-6? /Simon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
