Bug#573736: https SSL verification fails
Jonathan Nieder
jrnieder at gmail.com
Thu Mar 25 23:24:33 UTC 2010
reassign 573736 libgnutls26 2.8.6-1
thanks
Hi GnuTLS maintainers,
As mirabilos reports, verification of the alioth.debian.org
certificates is failing, which means that commands such as
git clone https://alioth.debian.org/anonscm/git/pkg-wml/pkg-wml.git
fail. The problem is reproducible using gnutls-cli. Ideas?
Thorsten Glaser wrote:
> Jonathan Nieder dixit:
>> - The hostname in the certificate matches '<host>'
>> - Peer's certificate issuer is unknown
>> - Peer's certificate is NOT trusted
>
> Interesting, as it should be trusted. Maybe GnuTLS has a problem
> with the certificate _chain_ involving an intermediate?
Maybe. This command gives more output:
gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt -p 443 $host
It likes sourceforge.net (one signature) and dislikes alioth.debian.org
(three-signature chain), so that could be it.
Reassigning to libgnutls26 since this is reproducible without use of
git or curl.
>> people elsewhere do) and when using GnuTLS backend (as Debian does for
> political
>> reasons)?
Yes, politics or paranoia. I find it unlikely that some copyright
holder for GPL code in Git is going to sue over use of OpenSSL, but
Debian policy is to worry about it anyway. Though in the case of
libcurl (the part of the interface Git uses is backend-agnostic) it
doesn’t seem so cut and dried to me.
Thanks,
Jonathan
More information about the Pkg-gnutls-maint
mailing list