curl and certificate verification in jessie

Tollef Fog Heen tfheen at
Mon Dec 1 21:06:59 UTC 2014

]] Alessandro Ghedini 

> On lun, dic 01, 2014 at 11:18:19 +0100, Tollef Fog Heen wrote:
> > > > Is this intentional, or is that a bug in either gnutls, curl, or the software
> > > > using these libraries?
> > > 
> > > AFAICT this is due to the gnutls26 -> gnutls28 switch. Using libgnutls-dev to
> > > build curl instead of libgnutls28-dev makes it possible to point CURLOPT_CAINFO
> > > to a single leaf certificate and have the verification succeed.
> > >
> > > FWIW the current behaviour is the same with openssl. I don't know if there's a
> > > reason for it though.
> > 
> > Can we get it reverted/fixed?
> If you are asking if curl is gonna go back to gnutls26, I don't think that's
> gonna happen. AFAICT it's not maintained upstream anymore and gnutls28 provides
> stuff like ECC support that's IMO more important.

I'm not asking for a particular course of action, I'm asking for a
specific goal to be reached.  (I otherwise agree that going back to
gnutls26 isn't a good idea.)

> As for fixing it, you need to discuss this with the gnutls maintainers.

That's why they are copied on the mail too.

> > We consider it a security-related regression compared to wheezy and while we
> > could run private builds of the code on, that'd be pretty silly
> > (and a waste of manpower).
> What does "security-related regression" mean? (if anything this makes security
> checks tighter).

No, it doesn't necessarily.  As dkg points out, I can no longer say
«this service should have this particular cert».  This makes us
vulnerable to compromises of the CA that provides the cert for a given
service and a lowering of the overall security in this particular setup.

> The problem, I think, is that you provide curl (and thus gnutls) with
> a CA certificate that doesn't actually sign the end certificate of the
> site you are trying to connect to (even if the two are the same
> certificate).

Well, it's not a CA certificate. :-)

> Again, I don't know if this is intended or not, you need to talk with the gnutls
> maintainers.

Again, they're Cc-ed.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

More information about the Pkg-gnutls-maint mailing list