Bug#563127: gnutls-bin: Can no longer verify connections to my company's email server

Sam Morris sam at robots.org.uk
Thu Dec 31 01:17:28 UTC 2009 

Package: gnutls-bin
Version: 2.8.5-2
Severity: important

Today, Evolution stopped being able to connect to my company's email
server, claiming that the SSL certificate was bad. Thunderbird does not
have that problem, but while debugging the issue I found that gnutls-cli
does too.

I've kept the actual server details out of this public bug report;
please tell me what email address I can mail them to if you want to
debug the issue on your end.

$ gnutls-cli --x509cafile /etc/ssl/certs/Go_Daddy_Class_2_CA.pem --starttls -p imap imap.example.com
Processed 1 CA certificate(s).
Resolving 'imap.example.com'...
Connecting to '192.0.2.1:143'...

- Simple Client Mode:

* OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS QUOTA STARTTLS LOGINDISABLED] Dovecot ready.
a STARTTLS
a OK Begin TLS negotiation now.
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1020 bits
- Certificate type: X.509
 - Got a certificate list of 4 certificates.
 - Certificate[0] info:
  - subject `O=*.example.com,OU=Domain Control Validated,CN=*.example.com', issuer `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=88888888', RSA key 2048 bits, signed using RSA-SHA, activated `2009-04-21 10:59:00 UTC', expires `2010-04-30 15:52:40 UTC', SHA-1 fingerprint `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
 - Certificate[1] info:
  - subject `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287', issuer `C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority', RSA key 2048 bits, signed using RSA-SHA, activated `2006-11-16 01:54:37 UTC', expires `2026-11-16 01:54:37 UTC', SHA-1 fingerprint `7c4656c3061f7f4c0d67b319a855f60ebc11fc44'
 - Certificate[2] info:
  - subject `C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority', issuer `L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com', RSA key 2048 bits, signed using RSA-SHA, activated `2004-06-29 17:06:20 UTC', expires `2024-06-29 17:06:20 UTC', SHA-1 fingerprint `de70f4e2116f7fdce75f9d13012b7e687a3b2c62'
 - Certificate[3] info:
  - subject `L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com', issuer `L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com', RSA key 1024 bits, signed using RSA-SHA, activated `1999-06-26 00:19:54 UTC', expires `2019-06-26 00:19:54 UTC', SHA-1 fingerprint `317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca6'
- The hostname in the certificate matches 'imap.example.com'.
- Peer's certificate issuer is not a CA
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (530, 'testing'), (520, 'unstable'), (400, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnutls-bin depends on:
ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
ii  libgcrypt11            1.4.4-6           LGPL Crypto library - runtime libr
ii  libgnutls26            2.8.5-2           the GNU TLS library - runtime libr
ii  libreadline6           6.0-5             GNU readline and history libraries
ii  libtasn1-3             2.3-1             Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

gnutls-bin recommends no packages.

gnutls-bin suggests no packages.

-- no debconf information

More information about the Pkg-gnutls-maint mailing list