Bug#513922: Fails to verify good(?) signature

Simon Josefsson simon at josefsson.org
Mon Feb 2 14:40:28 UTC 2009

Joachim Breitner <nomeata at debian.org> writes:

> Package: libgnutls26
> Version: 2.4.2-5
> Severity: important
> Hi Andreas,
> with your recent upload of gnults, this signature of a host with a
> recently generated cacert signature is no longer valid:
> $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt 
> - Peer's certificate is NOT trusted

CACert's intermediate certificate is signed using RSA-MD5, so it won't
pass GnuTLS chain verification logic.

I've improved the error message, so now the above command will print:

- Peer's certificate chain uses insecure algorithm
- Peer's certificate is NOT trusted

As a workaround, add the --insecure parameter.

We should probably consider to back-port Donald's logic to short-circuit
chain verification as soon as you have a trusted cert: then you could
chose to trust CACerts intermediate cert, and then there is no need to
rely on RSA-MD5 to trust this chain.  I'll test if the patch would help
in your situation.


More information about the Pkg-gnutls-maint mailing list