Bug#672345: gnutls-bin: recent versions don't like RapidSSL signatures

Andreas Metzler ametzler at downhill.at.eu.org
Thu May 10 17:43:05 UTC 2012

On 2012-05-10 Russell Coker <russell at coker.com.au> wrote:
> Package: gnutls-bin
> Version: 3.0.19-2
> Severity: normal

> $ gnutls-cli -V mail.bluebottle.com -p 443
> Processed 152 CA certificate(s).
> Resolving 'mail.bluebottle.com'...
> Connecting to ''...
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted
> - The hostname in the certificate matches 'mail.bluebottle.com'.
> *** Verifying server certificate failed...
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> GnuTLS error: Error in the certificate.

> The above is what happens when I use gnutls-cli from a Debian/Unstable system
> to try and connect to a web server with a RapidSSL signed certificate.

> Doing the same thing with a Debian/Squeeze system gets the following:


Recent versions of gnutls-cli try to check the certificate against
/etc/ssl/certs/ca-certificates.crt *by* *default*. If verification fails
the connection is aborted. The squeeze version behaves the same way
if --x509cafile /etc/ssl/certs/ca-certificates.crt ist set.

Use --insecure to override the behavior.

FWIW I cannot get openssl to verify the certificate either against the
certs in the ca-certificates package. I guess this might be because
you are not serving the necessary intermediate certificate (Equifax
Secure Certificate Authority certifying RapidSSL CA).

cu andreas

More information about the Pkg-gnutls-maint mailing list