Bug#513922: Fails to verify good(?) signature
simon at josefsson.org
Sat Feb 7 18:37:11 UTC 2009
Andreas Metzler <ametzler at downhill.at.eu.org> writes:
> On 2009-02-02 Simon Josefsson <simon at josefsson.org> wrote:
>> Joachim Breitner <nomeata at debian.org> writes:
>>> Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson:
>>>>> Package: libgnutls26
>>>>> Version: 2.4.2-5
>>>>> Severity: important
>>>>> Hi Andreas,
>>>>> with your recent upload of gnults, this signature of a host with a
>>>>> recently generated cacert signature is no longer valid:
>>>>> $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt
>>>>> - Peer's certificate is NOT trusted
>>>> CACert's intermediate certificate is signed using RSA-MD5, so it won't
>>>> pass GnuTLS chain verification logic.
>>>> We should probably consider to back-port Donald's logic to short-circuit
>>>> chain verification as soon as you have a trusted cert: then you could
>>>> chose to trust CACerts intermediate cert, and then there is no need to
>>>> rely on RSA-MD5 to trust this chain. I'll test if the patch would help
>>>> in your situation.
> I have just uploaded 2.4.2-6 (which is basically 2.4.3 without all the
> changes from autogenerated files for easier review.) to unstable. This
> should fix (workaround) your problem, since it makes t possible to
> trust the intermediate cert.
Thanks. I can confirm that it solves the problem:
jas at mocca:~$ LD_PRELOAD=/usr/lib/libgnutls.so /usr/bin/gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /usr/share/ca-certificates/cacert.org/root.crt
- Peer's certificate is NOT trusted
Which is correct since the chain contains a RSA-MD5 signature. (The
better error message is not printed here though, that change was not
Trying it again with the intermediate cert works fine:
jas at mocca:~$ LD_PRELOAD=/usr/lib/libgnutls.so /usr/bin/gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /usr/share/ca-certificates/cacert.org/class3.crt
- Peer's certificate is trusted
So I think everything works as expected now.
So, shouldn't this bug be marked as fixed with 2.4.2-6?
More information about the Pkg-gnutls-maint