X-Debbugs-Cc: severity -1 serious X-Debbugs-Cc: found -1 3.6.7-1 On 2020-05-31 Chris Hofstaedtler <z...@debian.org> wrote: > Package: src:gnutls28 > Version: 3.6.7-4+deb10u3 > Severity: grave > Justification: renders package unusable
> Hi, > gnutls appears to fail building a certificate chain, if: > - the server sends an alternate chain with an expired intermediate > - a matching root is in the local trust store. [...] > I'm marking this grave, as GnuTLS doesn't seem to follow standards here, > various other software just works, GnuTLS-using clients all break, and > many many sites on the public Internet send the cross-signed > certificate. Hello, thanks for the report. I disagree on the severity here, since only a very small minority of internet servers provide alternative trust paths at all and out of these only a small percentage send an alternative trust path using an expired certificate. (Personally I would consider the latter a server-side configuration error.) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'