Bug#513922: Fails to verify good(?) signature
ametzler at downhill.at.eu.org
Sat Feb 7 12:34:23 UTC 2009
On 2009-02-02 Simon Josefsson <simon at josefsson.org> wrote:
> Joachim Breitner <nomeata at debian.org> writes:
>> Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson:
>>>> Package: libgnutls26
>>>> Version: 2.4.2-5
>>>> Severity: important
>>>> Hi Andreas,
>>>> with your recent upload of gnults, this signature of a host with a
>>>> recently generated cacert signature is no longer valid:
>>>> $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt
>>>> - Peer's certificate is NOT trusted
>>> CACert's intermediate certificate is signed using RSA-MD5, so it won't
>>> pass GnuTLS chain verification logic.
>>> We should probably consider to back-port Donald's logic to short-circuit
>>> chain verification as soon as you have a trusted cert: then you could
>>> chose to trust CACerts intermediate cert, and then there is no need to
>>> rely on RSA-MD5 to trust this chain. I'll test if the patch would help
>>> in your situation.
I have just uploaded 2.4.2-6 (which is basically 2.4.3 without all the
changes from autogenerated files for easier review.) to unstable. This
should fix (workaround) your problem, since it makes t possible to
trust the intermediate cert.
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint