Bug#513922: Fails to verify good(?) signature

Andreas Metzler ametzler at downhill.at.eu.org
Sat Feb 7 12:34:23 UTC 2009

On 2009-02-02 Simon Josefsson <simon at josefsson.org> wrote:
> Joachim Breitner <nomeata at debian.org> writes:
>> Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson:
>>>> Package: libgnutls26
>>>> Version: 2.4.2-5
>>>> Severity: important

>>>> Hi Andreas,
>>>> with your recent upload of gnults, this signature of a host with a
>>>> recently generated cacert signature is no longer valid:

>>>> $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt 
>>> ...
>>>> - Peer's certificate is NOT trusted

>>> CACert's intermediate certificate is signed using RSA-MD5, so it won't
>>> pass GnuTLS chain verification logic.
>>> We should probably consider to back-port Donald's logic to short-circuit
>>> chain verification as soon as you have a trusted cert: then you could
>>> chose to trust CACerts intermediate cert, and then there is no need to
>>> rely on RSA-MD5 to trust this chain.  I'll test if the patch would help
>>> in your situation.


I have just uploaded 2.4.2-6 (which is basically 2.4.3 without all the
changes from autogenerated files for easier review.) to unstable. This
should fix (workaround) your problem, since it makes t possible to
trust the intermediate cert.

cu andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list