Nikos Mavrogiannopoulos wrote: > On Fri, 2015-08-14 at 16:27 +0200, Andreas Müller wrote: > > >The best would be to report that to debian instead. In any case, > > > what > > > is the certificate chain that cannot be validated? Do you know > > > which > > > CA certificates were removed by the update? > > > > > > regards, > > > Nikos > > Debian basically get's the bundle from mozilla and it seems that one > > of the certificates in the chain has been removed indeed. > > > CN = Thawte Premium Server CA > > SHA1 Fingerprint: > > 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A > > (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out > > -certificates-with-1024-bit-rsa-keys/) > > Mozilla has removed the 1024-bit CAs, however, it gnutls (3.3.x+) is > capable of detecting an alternative path. >... > In my debian (testing) system, certtool --verify and this chain gives: >... > What do you see in your system for the same command?
Hmm, the same output (with 3.3.17) as yours. I am sorry, I probably made some mistake while testing 3.3.* and 3.4.* and continued checking with 3.2.21 (because of presumed abi/api-changes), which didn't have that alternative path searching feature. I don't encounter any problems with 3.3.17 anymore. That mistake might have been the wrong URL for the certificate but I don't have logs on that. Sorry for wasting your time and thanks for clarification. At least I might've learned a thing or two on gnutls and bug-hunting documentation. Andreas Müller _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
