Bug#513922: Fails to verify good(?) signature

Joachim Breitner nomeata at debian.org
Mon Feb 2 14:45:55 UTC 2009


Hi Simon,

Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson:
> > Package: libgnutls26
> > Version: 2.4.2-5
> > Severity: important
> >
> > Hi Andreas,
> >
> > with your recent upload of gnults, this signature of a host with a
> > recently generated cacert signature is no longer valid:
> >
> > $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt 
> ...
> > - Peer's certificate is NOT trusted
> 
> CACert's intermediate certificate is signed using RSA-MD5, so it won't
> pass GnuTLS chain verification logic.

Ah, ok, that explains it of course. I didn’t spot any MD5 in the verbose
output, so I thought this was unexpected behavior.

> I've improved the error message, so now the above command will print:
> 
> - Peer's certificate chain uses insecure algorithm
> - Peer's certificate is NOT trusted

Great, much better.

> As a workaround, add the --insecure parameter.
> 
> We should probably consider to back-port Donald's logic to short-circuit
> chain verification as soon as you have a trusted cert: then you could
> chose to trust CACerts intermediate cert, and then there is no need to
> rely on RSA-MD5 to trust this chain.  I'll test if the patch would help
> in your situation.

The error occured when using using subversion, and there I can just add
the certificate directly to the trusted certificate ones, so from my
PoV, there is no urgent need for this.

It would be nice, though, especially if the intermediate certificate
could be added to the ca-certificates package.

Greetings and thanks for the quick answer,
Joachim
-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata at joachim-breitner.de | http://people.debian.org/~nomeata
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090202/e2ce26fe/attachment.pgp 


More information about the Pkg-gnutls-maint mailing list