curl and certificate verification in jessie
Tollef Fog Heen
tfheen at err.no
Mon Dec 1 21:06:59 UTC 2014
]] Alessandro Ghedini
> On lun, dic 01, 2014 at 11:18:19 +0100, Tollef Fog Heen wrote:
> > > > Is this intentional, or is that a bug in either gnutls, curl, or the software
> > > > using these libraries?
> > >
> > > AFAICT this is due to the gnutls26 -> gnutls28 switch. Using libgnutls-dev to
> > > build curl instead of libgnutls28-dev makes it possible to point CURLOPT_CAINFO
> > > to a single leaf certificate and have the verification succeed.
> > >
> > > FWIW the current behaviour is the same with openssl. I don't know if there's a
> > > reason for it though.
> > Can we get it reverted/fixed?
> If you are asking if curl is gonna go back to gnutls26, I don't think that's
> gonna happen. AFAICT it's not maintained upstream anymore and gnutls28 provides
> stuff like ECC support that's IMO more important.
I'm not asking for a particular course of action, I'm asking for a
specific goal to be reached. (I otherwise agree that going back to
gnutls26 isn't a good idea.)
> As for fixing it, you need to discuss this with the gnutls maintainers.
That's why they are copied on the mail too.
> > We consider it a security-related regression compared to wheezy and while we
> > could run private builds of the code on debian.org, that'd be pretty silly
> > (and a waste of manpower).
> What does "security-related regression" mean? (if anything this makes security
> checks tighter).
No, it doesn't necessarily. As dkg points out, I can no longer say
«this service should have this particular cert». This makes us
vulnerable to compromises of the CA that provides the cert for a given
service and a lowering of the overall security in this particular setup.
> The problem, I think, is that you provide curl (and thus gnutls) with
> a CA certificate that doesn't actually sign the end certificate of the
> site you are trying to connect to (even if the two are the same
Well, it's not a CA certificate. :-)
> Again, I don't know if this is intended or not, you need to talk with the gnutls
Again, they're Cc-ed.
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
More information about the Pkg-gnutls-maint