curl and certificate verification in jessie
Tollef Fog Heen
tfheen at err.no
Mon Dec 1 10:18:19 UTC 2014
]] Alessandro Ghedini
> On sab, nov 29, 2014 at 01:10:20 +0100, Peter Palfrader wrote:
> > I recently started to move parts of debian.org's infrastructure to jessie. I
> > noticed a regression with software using curl to do https with certificate
> > verification.
> > On wheezy, this works:
> > | weasel at mipsel-manda-01:~$ cat /etc/apt/apt.conf.d/puppet-https-buildd
> > | Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt";
> > | weasel at mipsel-manda-01:~$ tail -n1 /etc/apt/sources.list.d/buildd.debian.org.list
> > | deb https://buildd.debian.org/apt/ wheezy main
> > I.e., I can use a local copy of the expected end-entity certificate to
> > authenticate a https server.
> > On jessie this no longer works:
> > } Err https://buildd.debian.org wheezy/main mipsel Packages
> > } server certificate verification failed. CAfile: /etc/ssl/servicecerts/buildd.debian.org.crt CRLfile: none
> I assume that this is using apt-transport-https, which in turn uses
Yes. We're seeing the same problem when verifying HTTPS urls with git,
which uses curl under the hood. Presumably other software using
curl/gnutls has the same problem.
> > Is this intentional, or is that a bug in either gnutls, curl, or the software
> > using these libraries?
> AFAICT this is due to the gnutls26 -> gnutls28 switch. Using libgnutls-dev to
> build curl instead of libgnutls28-dev makes it possible to point CURLOPT_CAINFO
> to a single leaf certificate and have the verification succeed.
> FWIW the current behaviour is the same with openssl. I don't know if there's a
> reason for it though.
Can we get it reverted/fixed? We consider it a security-related
regression compared to wheezy and while we could run private builds of
the code on debian.org, that'd be pretty silly (and a waste of
manpower). Not to mention that gnutls26 isn't even in jessie any more.
Tollef Fog Heen, DSA
UNIX is user friendly, it's just picky about who its friends are
More information about the Pkg-gnutls-maint