Package: libgnutls26 Version: 2.8.6-1 Severity: normal Hi, after renewing intermediate CA certificate of our company CA I can't connect to some servers using ldaps. GnuTLS validation is broken. Renewed CA has the same subject as previous. The certs are accessible at http://www.i.cz/ca/ (Issued by MS CA).
z...@bobek:/usr/share/ca-certificates/local$ openssl x509 -subject -dates -serial -noout -in ICZ-Issuing-CA.crt subject= /C=CZ/O=ICZ a.s./CN=ICZ Issuing CA notBefore=Oct 16 12:05:52 2007 GMT notAfter=Oct 16 12:15:52 2011 GMT serial=1101979C000000000002 z...@bobek:/usr/share/ca-certificates/local$ openssl x509 -subject -dates -serial -noout -in ICZ-Issuing-CA-1.crt subject= /C=CZ/O=ICZ a.s./CN=ICZ Issuing CA notBefore=Oct 15 11:06:03 2010 GMT notAfter=Oct 15 11:16:03 2014 GMT serial=6106B6F4000000000003 z...@bobek:/usr/share/ca-certificates/local$ I think it is legal to have subject DN the same for successive certificates. z...@bobek:~$ grep ICZ /etc/ca-certificates.conf local/ICZ-Issuing-CA.crt local/ICZ-Issuing-CA-1.crt local/ICZ-Root-CA.crt z...@bobek:~$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... updating keystore /etc/ssl/certs/java/cacerts... done. done. According the above the old Issuing CA cert is the first now. Connection to a server with a cert issued by the new CA: z...@bobek:~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636 foo.i.cz Processed 146 CA certificate(s). Resolving 'foo.i.cz'... Connecting to '10.0.0.2:636'... - Successfully sent 0 certificate(s) to server. - Server has requested a certificate. - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=CZ,ST=Czech Republic,L=Prague,O=ICZ a.s.,CN=foo.i.cz', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', RSA key 2048 bits, signed using RSA-SHA, activated `2010-12-17 15:10:36 UTC', expires `2011-12-17 15:10:36 UTC', SHA-1 fingerprint `b92db94bb3386f9906c154879a2b6c6390e3a5af' - Certificate[1] info: - subject `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', RSA key 2048 bits, signed using RSA-SHA, activated `2010-10-15 11:06:03 UTC', expires `2014-10-15 11:16:03 UTC', SHA-1 fingerprint `b95fb82d16fe06c316465ac087b335ad3d938e99' - The hostname in the certificate matches 'foo.i.cz'. - Peer's certificate is NOT trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: ARCFOUR-128 - MAC: MD5 - Compression: NULL *** Verifying server certificate failed... Connection to a server with a cert issued by the old CA: z...@bobek:~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt bar.i.cz Processed 146 CA certificate(s). Resolving 'bar.i.cz'... Connecting to '10.0.0.1:443'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1022 bits - Peer's public key: 1024 bits - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `C=CZ,O=ICZ a.s.,OU=Machines,CN=bar.i.cz', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', RSA key 1024 bits, signed using RSA-SHA, activated `2010-08-16 08:59:50 UTC', expires `2011-08-16 08:59:50 UTC', SHA-1 fingerprint `5a1d9f505fdc80e46b3e6594b1eed80a3b95a523' - Certificate[1] info: - subject `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', RSA key 2048 bits, signed using RSA-SHA, activated `2007-10-16 08:06:26 UTC', expires `2014-10-16 08:15:03 UTC', SHA-1 fingerprint `ea02ef9e4bc20f822a9bd2adb4dc263749f89241' - Certificate[2] info: - subject `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', RSA key 2048 bits, signed using RSA-SHA, activated `2007-10-16 12:05:52 UTC', expires `2011-10-16 12:15:52 UTC', SHA-1 fingerprint `daa9c584ba23020fc9c3d266a2ba65d739e9f5f4' - Certificate[3] info: - subject `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', RSA key 2048 bits, signed using RSA-SHA, activated `2010-10-15 11:06:03 UTC', expires `2014-10-15 11:16:03 UTC', SHA-1 fingerprint `b95fb82d16fe06c316465ac087b335ad3d938e99' - The hostname in the certificate matches 'bar.i.cz'. - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: Reordering Issuing CA certs, so the new CA will be the first... z...@bobek:~$ grep ICZ /etc/ca-certificates.conf local/ICZ-Issuing-CA-1.crt local/ICZ-Issuing-CA.crt local/ICZ-Root-CA.crt z...@bobek:~$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... updating keystore /etc/ssl/certs/java/cacerts... done. done. Connection to a server with a cert issued by the new CA: z...@bobek:~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 636 foo.i.cz Processed 146 CA certificate(s). Resolving 'foo.i.cz'... Connecting to '10.0.0.2:636'... - Successfully sent 0 certificate(s) to server. - Server has requested a certificate. - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=CZ,ST=Czech Republic,L=Prague,O=ICZ a.s.,CN=foo.i.cz', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', RSA key 2048 bits, signed using RSA-SHA, activated `2010-12-17 15:10:36 UTC', expires `2011-12-17 15:10:36 UTC', SHA-1 fingerprint `b92db94bb3386f9906c154879a2b6c6390e3a5af' - Certificate[1] info: - subject `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', RSA key 2048 bits, signed using RSA-SHA, activated `2010-10-15 11:06:03 UTC', expires `2014-10-15 11:16:03 UTC', SHA-1 fingerprint `b95fb82d16fe06c316465ac087b335ad3d938e99' - The hostname in the certificate matches 'foo.i.cz'. - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: ARCFOUR-128 - MAC: MD5 - Compression: NULL - Handshake was completed - Simple Client Mode: Connection to a server with a cert issued by the old CA: z...@bobek:~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt bar.i.cz Processed 146 CA certificate(s). Resolving 'bar.i.cz'... Connecting to '10.0.0.1:443'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1022 bits - Peer's public key: 1022 bits - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `C=CZ,O=ICZ a.s.,OU=Machines,CN=bar.i.cz', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', RSA key 1024 bits, signed using RSA-SHA, activated `2010-08-16 08:59:50 UTC', expires `2011-08-16 08:59:50 UTC', SHA-1 fingerprint `5a1d9f505fdc80e46b3e6594b1eed80a3b95a523' - Certificate[1] info: - subject `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', RSA key 2048 bits, signed using RSA-SHA, activated `2007-10-16 08:06:26 UTC', expires `2014-10-16 08:15:03 UTC', SHA-1 fingerprint `ea02ef9e4bc20f822a9bd2adb4dc263749f89241' - Certificate[2] info: - subject `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', RSA key 2048 bits, signed using RSA-SHA, activated `2007-10-16 12:05:52 UTC', expires `2011-10-16 12:15:52 UTC', SHA-1 fingerprint `daa9c584ba23020fc9c3d266a2ba65d739e9f5f4' - Certificate[3] info: - subject `C=CZ,O=ICZ a.s.,CN=ICZ Issuing CA', issuer `C=CZ,O=ICZ a.s.,CN=ICZ Root CA', RSA key 2048 bits, signed using RSA-SHA, activated `2010-10-15 11:06:03 UTC', expires `2014-10-15 11:16:03 UTC', SHA-1 fingerprint `b95fb82d16fe06c316465ac087b335ad3d938e99' - The hostname in the certificate matches 'bar.i.cz'. - Peer's certificate is NOT trusted - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL *** Verifying server certificate failed... Hostnames and IP addresses was substituted... As you can see the reordering of CA certificates can't work. Openssl s_client handles this situation correctly. Best Regards -- Zito -- System Information: Debian Release: 6.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libgnutls26 depends on: ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr ii libtasn1-3 2.7-1 Manage ASN.1 structures (runtime) ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime libgnutls26 recommends no packages. Versions of packages libgnutls26 suggests: ii gnutls-bin 2.8.6-1 the GNU TLS library - commandline -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org