]] Alessandro Ghedini > On lun, dic 01, 2014 at 11:18:19 +0100, Tollef Fog Heen wrote: > > > > Is this intentional, or is that a bug in either gnutls, curl, or the > > > > software > > > > using these libraries? > > > > > > AFAICT this is due to the gnutls26 -> gnutls28 switch. Using > > > libgnutls-dev to > > > build curl instead of libgnutls28-dev makes it possible to point > > > CURLOPT_CAINFO > > > to a single leaf certificate and have the verification succeed. > > > > > > FWIW the current behaviour is the same with openssl. I don't know if > > > there's a > > > reason for it though. > > > > Can we get it reverted/fixed? > > If you are asking if curl is gonna go back to gnutls26, I don't think that's > gonna happen. AFAICT it's not maintained upstream anymore and gnutls28 > provides > stuff like ECC support that's IMO more important.
I'm not asking for a particular course of action, I'm asking for a specific goal to be reached. (I otherwise agree that going back to gnutls26 isn't a good idea.) > As for fixing it, you need to discuss this with the gnutls maintainers. That's why they are copied on the mail too. > > We consider it a security-related regression compared to wheezy and while we > > could run private builds of the code on debian.org, that'd be pretty silly > > (and a waste of manpower). > > What does "security-related regression" mean? (if anything this makes security > checks tighter). No, it doesn't necessarily. As dkg points out, I can no longer say «this service should have this particular cert». This makes us vulnerable to compromises of the CA that provides the cert for a given service and a lowering of the overall security in this particular setup. > The problem, I think, is that you provide curl (and thus gnutls) with > a CA certificate that doesn't actually sign the end certificate of the > site you are trying to connect to (even if the two are the same > certificate). Well, it's not a CA certificate. :-) > Again, I don't know if this is intended or not, you need to talk with the > gnutls > maintainers. Again, they're Cc-ed. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87oarngjv0....@aexonyam.err.no
