Bug#573736: https SSL verification fails

Fri, 26 Mar 2010 11:34:38 -0700 

On 2010-03-26 Jonathan Nieder <jrnie...@gmail.com> wrote:
[..]
> As mirabilos reports, verification of the alioth.debian.org
> certificates is failing, which means that commands such as

>   git clone https://alioth.debian.org/anonscm/git/pkg-wml/pkg-wml.git

> fail.  The problem is reproducible using gnutls-cli.  Ideas?
[...]
>   gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt -p 443 $host
[...]

Hello,
I *think* it is a configuration issue on alioth, it is sending the certs
in wrong order:

(SID)ametz...@argenau:/tmp/tlsdebugging$ gnutls-cli --print-cert --x509cafile 
/dev/null -p 443 alioth.debian.org 2>&1  | certtool --verify-chain
Certificate[0]: O=Debian,CN=alioth.debian.org,email=ad...@alioth.debian.org
        Issued by: O=Debian,CN=ca.debian.org,email=debian-ad...@debian.org
        Verifying against certificate[1].
Error: Issuer's name: C=US,ST=Indiana,L=Indianapolis,O=Software in the Public 
Interest,OU=hostmaster,CN=Certificate Authority,email=hostmas...@spi-inc.org
certtool: issuer name does not match the next certificate

(SID)ametz...@argenau:/tmp/tlsdebugging$ gnutls-cli -V --print-cert 
--x509cafile /dev/null -p 443 alioth.debian.org  | grep -E 'Issuer:|Subject:'
        Issuer: O=Debian,CN=ca.debian.org,email=debian-ad...@debian.org
        Subject: O=Debian,CN=alioth.debian.org,email=ad...@alioth.debian.org

        Issuer: C=US,ST=Indiana,L=Indianapolis,O=Software in the Public 
Interest,OU=hostmaster,CN=Certificate Authority,email=hostmas...@spi-inc.org
        Subject: C=US,ST=Indiana,L=Indianapolis,O=Software in the Public 
Interest,OU=hostmaster,CN=Certificate Authority,email=hostmas...@spi-inc.org

        Issuer: C=US,ST=Indiana,L=Indianapolis,O=Software in the Public 
Interest,OU=hostmaster,CN=Certificate Authority,email=hostmas...@spi-inc.org
        Subject: O=Debian,CN=ca.debian.org,email=debian-ad...@debian.org

cert1 is issued by cert3, which in turn is issued by cert2.

Re-ordering (switching the position of cert2 and cert3) makes
certtool --verify-chain succeed.

cu andreas



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to