Bug#513922: Fails to verify good(?) signature

Simon Josefsson simon at josefsson.org
Sat Feb 7 18:37:11 UTC 2009 

Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> On 2009-02-02 Simon Josefsson <simon at josefsson.org> wrote:
>> Joachim Breitner <nomeata at debian.org> writes:
>>> Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson:
>>>>> Package: libgnutls26
>>>>> Version: 2.4.2-5
>>>>> Severity: important
>
>>>>> Hi Andreas,
>>>>> with your recent upload of gnults, this signature of a host with a
>>>>> recently generated cacert signature is no longer valid:
>
>>>>> $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt 
>>>> ...
>>>>> - Peer's certificate is NOT trusted
>
>>>> CACert's intermediate certificate is signed using RSA-MD5, so it won't
>>>> pass GnuTLS chain verification logic.
> [...]
>>>> We should probably consider to back-port Donald's logic to short-circuit
>>>> chain verification as soon as you have a trusted cert: then you could
>>>> chose to trust CACerts intermediate cert, and then there is no need to
>>>> rely on RSA-MD5 to trust this chain.  I'll test if the patch would help
>>>> in your situation.
>
>
> Hello,
>
> I have just uploaded 2.4.2-6 (which is basically 2.4.3 without all the
> changes from autogenerated files for easier review.) to unstable. This
> should fix (workaround) your problem, since it makes t possible to
> trust the intermediate cert.

Thanks.  I can confirm that it solves the problem:

jas at mocca:~$ LD_PRELOAD=/usr/lib/libgnutls.so /usr/bin/gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /usr/share/ca-certificates/cacert.org/root.crt 
...
- Peer's certificate is NOT trusted

Which is correct since the chain contains a RSA-MD5 signature.  (The
better error message is not printed here though, that change was not
back-ported.)

Trying it again with the intermediate cert works fine:

jas at mocca:~$ LD_PRELOAD=/usr/lib/libgnutls.so /usr/bin/gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /usr/share/ca-certificates/cacert.org/class3.crt 
...
- Peer's certificate is trusted

So I think everything works as expected now.

So, shouldn't this bug be marked as fixed with 2.4.2-6?

/Simon

More information about the Pkg-gnutls-maint mailing list