Bug#721726: gnutls-bin: Error setting the x509 trust file

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Sep 3 14:19:02 UTC 2013 

Package: gnutls-bin
Version: 3.2.4-1
Severity: normal
Control: notfound -1 3.2.3-1

with version 3.2.4-1 (from experimental), loading the system trust
file fails with "Error setting the x509 trust file", which means that
no certificates can be verified upon load.  If i manually supply
--x509cafile /etc/ssl/certs/ca-certificates.crt, then it works as
expected.

This misbehavior does not happen in 3.2.3-1.

0 dkg at alice:~$ gnutls-cli google.com
Error setting the x509 trust file
Resolving 'google.com'...
Connecting to '2607:f8b0:4006:802::1001:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', EC key 256 bits, signed using RSA-SHA1, activated `2013-08-14 22:06:49 UTC', expires `2014-08-14 22:06:49 UTC', SHA-1 fingerprint `7818f633b9a6f7481de186dd5054580633df1ca9'
	Public Key Id:
		418ec51539387160b7ae73e92cdd41832f6015e5
	Public key's random art:
		+--[  EC  256]----+
		|       .*=*=.    |
		|       *+o+o     |
		|      . oo.oE    |
		|        oo. o    |
		|       .S..o .   |
		|         ...o    |
		|        o.oo .   |
		|        .=. .    |
		|         .o      |
		+-----------------+

- Certificate[1] info:
 - subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-05 15:15:55 UTC', expires `2015-04-04 15:15:55 UTC', SHA-1 fingerprint `d83c1a7f4d0446bb2081b81a1670f8183451ca24'
- Certificate[2] info:
 - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
1 dkg at alice:~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt google.com
Processed 158 CA certificate(s).
Resolving 'google.com'...
Connecting to '2607:f8b0:4006:802::1001:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', EC key 256 bits, signed using RSA-SHA1, activated `2013-08-14 22:06:49 UTC', expires `2014-08-14 22:06:49 UTC', SHA-1 fingerprint `7818f633b9a6f7481de186dd5054580633df1ca9'
	Public Key Id:
		418ec51539387160b7ae73e92cdd41832f6015e5
	Public key's random art:
		+--[  EC  256]----+
		|       .*=*=.    |
		|       *+o+o     |
		|      . oo.oE    |
		|        oo. o    |
		|       .S..o .   |
		|         ...o    |
		|        o.oo .   |
		|        .=. .    |
		|         .o      |
		+-----------------+

- Certificate[1] info:
 - subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-05 15:15:55 UTC', expires `2015-04-04 15:15:55 UTC', SHA-1 fingerprint `d83c1a7f4d0446bb2081b81a1670f8183451ca24'
- Certificate[2] info:
 - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
- Status: The certificate is trusted. 
- Description: (TLS1.2-PKIX)-(ECDHE-ECDSA-SECP256R1)-(AES-128-GCM)-(AEAD)
- Session ID: 32:82:68:D1:D5:1A:BA:AF:4A:52:76:1E:AA:07:60:3A:14:13:6C:56:08:8C:83:30:71:0E:0B:67:7B:69:61:13
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-ECDSA
- Server Signature: ECDSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

0 dkg at alice:~$ 

  --dkg


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-rc4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnutls-bin depends on:
ii  libc6        2.17-92
ii  libgmp10     2:5.1.2+dfsg-2
ii  libgnutls28  3.2.4-1
ii  libhogweed2  2.7.1-1
ii  libidn11     1.28-1
ii  libnettle4   2.7.1-1
ii  libopts25    1:5.18-2
ii  libp11-kit0  0.18.5-2
ii  libtasn1-6   3.3-2
ii  zlib1g       1:1.2.8.dfsg-1

gnutls-bin recommends no packages.

gnutls-bin suggests no packages.

-- debconf-show failed

More information about the Pkg-gnutls-maint mailing list