Bug#513922: Fails to verify good(?) signature
Joachim Breitner
nomeata at debian.org
Mon Feb 2 13:32:34 UTC 2009
Package: libgnutls26
Version: 2.4.2-5
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Andreas,
with your recent upload of gnults, this signature of a host with a
recently generated cacert signature is no longer valid:
$ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt
Processed 142 CA certificate(s).
Resolving 'fry.serverama.de'...
Connecting to '78.47.178.157:443'...
- - Ephemeral Diffie-Hellman parameters
- Using prime: 1032 bits
- Secret key: 1016 bits
- Peer's public key: 1032 bits
- - Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'fry.serverama.de'.
# valid since: Fri Jan 16 23:29:47 CET 2009
# expires at: Sun Jan 16 23:29:47 CET 2011
# serial number: 6E:68
# fingerprint: EE:DD:CA:43:34:55:09:86:A7:AD:9F:97:6A:64:F2:34
# version: #3
# public key algorithm: RSA (1024 bits)
# e [24 bits]: 01:00:01
# m [1024 bits]: C8:77:59:24:7C:0F:1C:3F:CC:30:19:A4:73:23:03:54:E8:D0:72:48:6A:8C:91:F5:3A:B3:41:F2:E0:9F:B6:2B:B1:01:6B:44:C7:9F:54:C5:98:1E:21:05:01:52:53:45:C3:B9:1A:E5:2D:93:0D:C8:C4:02:CB:97:23:4C:97:BC:49:6D:91:12:CD:12:B0:DD:3C:F7:36:D3:37:0E:8A:41:F0:BE:EB:23:C0:0D:CB:B1:E1:E8:FE:50:44:C5:89:F4:E2:72:88:B8:52:A4:08:B4:4E:E2:5E:1A:BF:A4:2A:8B:C7:46:3E:B8:57:6F:CD:B6:83:E0:0E:CC:AD:1C:CB:7D
# Subject's DN: CN=fry.serverama.de
# Issuer's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
- Certificate[1] info:
# valid since: Fri Oct 14 09:36:55 CEST 2005
# expires at: Mon Mar 28 09:36:55 CEST 2033
# serial number: 01
# fingerprint: 73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6
# version: #3
# public key algorithm: RSA (4096 bits)
# e [24 bits]: 01:00:01
# m [4096 bits]: Unknown
# Subject's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
# Issuer's DN: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support at cacert.org
- - Peer's certificate is NOT trusted
- - Version: TLS1.0
- - Key Exchange: DHE-RSA
- - Cipher: AES-128-CBC
- - MAC: SHA1
- - Compression: NULL
- - Session ID: 80:65:73:F1:41:61:D9:13:28:2B:F4:0B:5D:EE:96:87:6A:38:35:4C:75:D4:24:CC:DF:81:23:DE:67:22:02:2B
*** Verifying server certificate failed...
$ # It used to work though:
$ sudo dpkg -i /tmp/libgnutls26_2.4.2-4_amd64.deb
dpkg - Warnung: deaktualisiere libgnutls26 von 2.4.2-5 zu 2.4.2-4.
(Lese Datenbank ... 175611 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereiten zum Ersetzen von libgnutls26 2.4.2-5 (durch .../libgnutls26_2.4.2-4_amd64.deb) ...
Entpacke Ersatz für libgnutls26 ...
Richte libgnutls26 ein (2.4.2-4) ...
$ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt
Processed 142 CA certificate(s).
Resolving 'fry.serverama.de'...
Connecting to '78.47.178.157:443'...
- - Ephemeral Diffie-Hellman parameters
- Using prime: 1032 bits
- Secret key: 1016 bits
- Peer's public key: 1024 bits
- - Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'fry.serverama.de'.
# valid since: Fri Jan 16 23:29:47 CET 2009
# expires at: Sun Jan 16 23:29:47 CET 2011
# serial number: 6E:68
# fingerprint: EE:DD:CA:43:34:55:09:86:A7:AD:9F:97:6A:64:F2:34
# version: #3
# public key algorithm: RSA (1024 bits)
# e [24 bits]: 01:00:01
# m [1024 bits]: C8:77:59:24:7C:0F:1C:3F:CC:30:19:A4:73:23:03:54:E8:D0:72:48:6A:8C:91:F5:3A:B3:41:F2:E0:9F:B6:2B:B1:01:6B:44:C7:9F:54:C5:98:1E:21:05:01:52:53:45:C3:B9:1A:E5:2D:93:0D:C8:C4:02:CB:97:23:4C:97:BC:49:6D:91:12:CD:12:B0:DD:3C:F7:36:D3:37:0E:8A:41:F0:BE:EB:23:C0:0D:CB:B1:E1:E8:FE:50:44:C5:89:F4:E2:72:88:B8:52:A4:08:B4:4E:E2:5E:1A:BF:A4:2A:8B:C7:46:3E:B8:57:6F:CD:B6:83:E0:0E:CC:AD:1C:CB:7D
# Subject's DN: CN=fry.serverama.de
# Issuer's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
- Certificate[1] info:
# valid since: Fri Oct 14 09:36:55 CEST 2005
# expires at: Mon Mar 28 09:36:55 CEST 2033
# serial number: 01
# fingerprint: 73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6
# version: #3
# public key algorithm: RSA (4096 bits)
# e [24 bits]: 01:00:01
# m [4096 bits]: Unknown
# Subject's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
# Issuer's DN: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support at cacert.org
- - Peer's certificate is trusted
- - Version: TLS1.0
- - Key Exchange: DHE-RSA
- - Cipher: AES-128-CBC
- - MAC: SHA1
- - Compression: NULL
- - Session ID: 6F:C0:1E:89:68:FE:D3:84:3A:FE:6E:4E:75:E0:47:FA:D8:25:31:CF:DF:51:9A:43:74:55:34:3F:97:6E:C9:44
- - Handshake was completed
- - Simple Client Mode:
^C
OpenSSL has no issue with this host:
$ openssl s_client -connect fry.serverama.de:443 -CAfile /etc/ssl/certs/ca-certificates.crt
CONNECTED(00000003)
depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support at cacert.org
verify return:1
depth=1 /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
verify return:1
depth=0 /CN=fry.serverama.de
verify return:1
- ---
Certificate chain
0 s:/CN=fry.serverama.de
i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support at cacert.org
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
MIIE3zCCAsegAwIBAgICbmgwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0Fj
ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UE
AxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0wOTAxMTYyMjI5NDdaFw0xMTAxMTYy
MjI5NDdaMBsxGTAXBgNVBAMTEGZyeS5zZXJ2ZXJhbWEuZGUwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMh3WSR8Dxw/zDAZpHMjA1To0HJIaoyR9TqzQfLgn7Yr
sQFrRMefVMWYHiEFAVJTRcO5GuUtkw3IxALLlyNMl7xJbZESzRKw3Tz3NtM3DopB
8L7rI8ANy7Hh6P5QRMWJ9OJyiLhSpAi0TuJeGr+kKovHRj64V2/NtoPgDsytHMt9
AgMBAAGjggF2MIIBcjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMC
BggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAz
BggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5v
cmcvMIHpBgNVHREEgeEwgd6CEGZyeS5zZXJ2ZXJhbWEuZGWgHgYIKwYBBQUHCAWg
EgwQZnJ5LnNlcnZlcmFtYS5kZYIQZnJ5LnNlcnZlcmFtYS5kZaAeBggrBgEFBQcI
BaASDBBmcnkuc2VydmVyYW1hLmRlghIqLmZyeS5zZXJ2ZXJhbWEuZGWgIAYIKwYB
BQUHCAWgFAwSKi5mcnkuc2VydmVyYW1hLmRlggd6cHViLmRloBUGCCsGAQUFBwgF
oAkMB3pwdWIuZGWCCSouenB1Yi5kZaAXBggrBgEFBQcIBaALDAkqLnpwdWIuZGUw
DQYJKoZIhvcNAQEFBQADggIBAEWSsOlLbjdRjijMmOnDc2RcLQ5PQC9pjUW+bzGR
KTJbf8Hf/wSdmHAam+UsIM6HzdQVi058dGyb8/NJQJD+9Dgv1m57x1prLerkt6xq
UQCYmOpMxCJOykLqzEUnou9WtL5FaD+wBlOuqWFy0Cy2O3LHXkSkaMR+gdxC4pkI
wSkI2SDdC0juvnoVI7iBaaIhYI/1FwV56hc6lxsAslf0NbtiiwhneVbHm5XRK1d4
tabVKwOHnEuDyAnZd1yM1EqXKz+NwBlhoKWhC0fVUByID5A2WGEejBJcW/lVrYft
4+sJpnwS+/VDS5yrDXMqMdYGE8TVMy7RsaoUdaeFQYv4Go48BBGDJB5uEkBJiSq8
ViZA4iEKujBa5zKJ+CZXy3D/eHLBKUL+ayc9dLeeFTPZU0jYb83kE1wtlnWwF4J1
8lUQI10nLFg+ALoZoAmFZej19XgbyG6im+ZRFuwrpV6F3HJRP+AMNInsLoQTuD9I
l2gftVaIU1MqUmVMBcUeeNXG1BZ9vRonKzAC4Otfk1B6aW4Lz0E+sZ+HfCMicD3j
N01KAeNZ64j8emgnLffurb7qUWbanTpMEzxrelBRufxJkXcn6BcFcxPBVgFnsMgF
tP7e7N/cm55pI8Et+Gjp+ORJetSio118yu9bf7etSAJWOS6tQ2Ac7JeKP+a8jsvq
Uyx7
- -----END CERTIFICATE-----
subject=/CN=fry.serverama.de
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
- ---
No client certificate CA names sent
- ---
SSL handshake has read 3366 bytes and written 316 bytes
- ---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 52B646BBE0264083CDDE1C54C6C1C86DEF52414F56AB99D4AFB14929FD410203
Session-ID-ctx:
Master-Key: F9D184A880B1E6276C37E67887F896C706D210D61314AA9FEFB55DFD053C2FA1AA0DA072E4FAE671941526AC3583F66F
Key-Arg : None
Start Time: 1233581524
Timeout : 300 (sec)
Verify return code: 0 (ok)
- ---
Do you have an idea what’s wrong?
Greetings,
Joachim
- -- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.27-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgnutls26 depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libgcrypt11 1.4.1-2 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libtasn1-3 1.5-1 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
libgnutls26 recommends no packages.
Versions of packages libgnutls26 suggests:
ii gnutls-bin 2.4.2-5 the GNU TLS library - commandline
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmG9fEACgkQ9ijrk0dDIGw7ZwCgwmPzK7BJ0rsz8AFrsTktVLcc
zDoAn3hE4e+FqRbOXKn3WbcZ9SCbdcb8
=ZyZk
-----END PGP SIGNATURE-----
More information about the Pkg-gnutls-maint
mailing list