Giovanni, Giovanni Biscuolo 写道:
...and sorry again to all other Guix users for the "noise": this is notstrictly related to Guix but just to the most recent version of curl/wget
Don't be. It was a legitimate bug in a Guix package. Thanks to Marius for the quick fix, by the way!
I still I don't understand the differences between curl (and wget) behaviour and the last Guix available ungoogled-chromium (see below).
The expiration of the Sectigo root triggered a dormant bug in GnuTLS. Users of other crypto libraries were unaffected.
I guess that this information, client side, is the same for all browsersand CLI interfaces (like curl) since long ago: right?
Yes. Including GnuTLS. It had the right data but drew the wrong conclusion from it.
It seems that ungoogled-chromium stops the verification at the level=1 certificate:
As your browser and SSLLabs knew, there *was* a valid chain (two, even) and GnuTLS should have returned success. Instead it reported failure because there was *also* an invalid expired one.
At the risk of being flamed for oversimplifying: paranoid GnuTLS was using AND where it should have used OR.
Here's the actual bug report: <https://gitlab.com/gnutls/gnutls/-/issues/1008>.
(I think the server's still sending too many intermediates, but at least now all clients will correctly ignore them. They'll just waste some bandwidth on every handshake.)
Kind regards, T G-R
signature.asc
Description: PGP signature