Bug#691213: ncl.edu.tw vs, gnutls
jidanni at jidanni.org
jidanni at jidanni.org
Mon Oct 22 23:08:46 UTC 2012
X-debbugs-Cc: amb at gedanken.demon.co.uk
Package: libgnutls26
Version: 2.12.20-1
Dear gnutls maintainers, we might have found a bug.
Though I don't understand gnutls myself, I hope you can forward this bug
to whatever read origin it has. Thanks!
>>>>> "A" == Andrew M Bishop <amb at gedanken.demon.co.uk> writes:
A> Hi,
>> I guess there's no way to get to
>> http://www.ncl.edu.tw/
>> via WWWOFFLE.
>>
>> https://sso.ncl.edu.tw/SSO-web/login?service=http://www.ncl.edu.tw/outurl.asp?iNCL=&gateway=
>> true;
>>
>> failed because
>>
>> Cannot secure the https (SSL) connection to sso.ncl.edu.tw port 443; [IO(gnutls): Key usage
>> violation in certificate has been detected.].
>>
>>
>> Other browsers don't even give any hint of a problem.
A> When I visit this site using Firefox (Iceweasel on Debian) and look at
A> the page info for the security information I see that the
A> sso.ncl.edu.tw certificate was issued by [a set of characters that my
A> browser cannot display] which itself was issued by the Taiwan
A> Government Root Certification Authority. All of the certificates have
A> valid dates and Firefox reports no errors.
A> I notice that wget also isn't happy:
A> $ wget https://sso.ncl.edu.tw/SSO-web/login
A> --2012-10-22 11:01:42-- https://sso.ncl.edu.tw/SSO-web/login
A> Resolving sso.ncl.edu.tw (sso.ncl.edu.tw)... 192.83.186.234
A> Connecting to sso.ncl.edu.tw (sso.ncl.edu.tw)|192.83.186.234|:443... connected.
A> GnuTLS: Key usage violation in certificate has been detected.
A> Unable to establish SSL connection.
A> I can also use a gnutls tool to get the certificate from the server:
A> $ gnutls-cli -p 443 sso.ncl.edu.tw --print-cert
A> Processed 150 CA certificate(s).
A> Resolving 'sso.ncl.edu.tw'...
A> Connecting to '192.83.186.234:443'...
A> |<1>| Note that the security level of the Diffie-Hellman key exchange has been lowered to 512 bits and this may allow decryption of the session data
A> - Peer's certificate is trusted
A> - The hostname in the certificate matches 'sso.ncl.edu.tw'.
A> *** Fatal error: Key usage violation in certificate has been detected.
A> - Certificate type: X.509
A> - Got a certificate list of 3 certificates.
A> By cutting and pasting the three certificates I get from this to a
A> file I can then try and verify the chain:
A> $ certtool --load-ca-certificate=/etc/ssl/certs/Taiwan_GRCA.pem --verify < sso.pem
A> Loaded 3 certificates, 1 CAs and 0 CRLs
A> Subject: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè管çä¸å¿
A> Issuer: C=TW,O=Government Root Certification Authority
A> Checked against: C=TW,O=Government Root Certification Authority
A> Output: Verified.
A> Subject: C=TW,O=è¡æ¿é¢,OU=æè²é¨,OU=å家å椨,CN=sso.ncl.edu.tw,serialNumber=0000000010015071
A> Issuer: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè管çä¸å¿
A> Checked against: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè管çä¸å¿
A> Output: Verified.
A> Chain verification output: Verified.
A> Also if I take the second and third certificate from the gnutls-cli
A> output and put them in one file (called sso23.pem) and put the first
A> certificate into a file of its own (called sso1.pem) then they verify
A> OK:
A> $ certtool --load-ca-certificate=sso23.pem --verify < sso1.pem
A> Loaded 1 certificates, 2 CAs and 0 CRLs
A> Subject: C=TW,O=è¡æ¿é¢,OU=æè²é¨,OU=å家å椨,CN=sso.ncl.edu.tw,serialNumber=0000000010015071
A> Issuer: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè管çä¸å¿
A> Checked against: C=TW,O=è¡æ¿é¢,OU=æ¿åºæè管çä¸å¿
A> Output: Verified.
A> Chain verification output: Verified.
A> So, in conclusion, I don't know what is going on. WWWOFFLE is doing
A> the same thing as wget and gnutls-cli and all three are complaining.
A> On the other hand when trying the certificates from gnutls-cli
A> manually against a known good Taiwan GRCA or checking the three parts
A> of the output of gnutls-cli against each other it works.
A> It could be a gnutls bug; if you send them a bug report using their
A> own tools (gnutls-cli and certtool) then they can verify it themselves
A> and perhaps explain how one method fails but others work.
A> --
A> Andrew.
A> ----------------------------------------------------------------------
A> Andrew M. Bishop amb at gedanken.demon.co.uk
A> http://www.gedanken.demon.co.uk/
A> WWWOFFLE homepage: http://www.gedanken.demon.co.uk/wwwoffle/
More information about the Pkg-gnutls-maint
mailing list