Bug#513922: Fails to verify good(?) signature
Simon Josefsson
simon at josefsson.org
Mon Feb 2 14:40:28 UTC 2009
Joachim Breitner <nomeata at debian.org> writes:
> Package: libgnutls26
> Version: 2.4.2-5
> Severity: important
>
> Hi Andreas,
>
> with your recent upload of gnults, this signature of a host with a
> recently generated cacert signature is no longer valid:
>
> $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt
...
> - Peer's certificate is NOT trusted
CACert's intermediate certificate is signed using RSA-MD5, so it won't
pass GnuTLS chain verification logic.
I've improved the error message, so now the above command will print:
- Peer's certificate chain uses insecure algorithm
- Peer's certificate is NOT trusted
As a workaround, add the --insecure parameter.
We should probably consider to back-port Donald's logic to short-circuit
chain verification as soon as you have a trusted cert: then you could
chose to trust CACerts intermediate cert, and then there is no need to
rely on RSA-MD5 to trust this chain. I'll test if the patch would help
in your situation.
/Simon
More information about the Pkg-gnutls-maint
mailing list