curl and certificate verification in jessie
Peter Palfrader
weasel at debian.org
Sat Nov 29 12:10:20 UTC 2014
Hi,
I recently started to move parts of debian.org's infrastructure to jessie. I
noticed a regression with software using curl to do https with certificate
verification.
On wheezy, this works:
| weasel at mipsel-manda-01:~$ cat /etc/apt/apt.conf.d/puppet-https-buildd
| Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt";
| weasel at mipsel-manda-01:~$ tail -n1 /etc/apt/sources.list.d/buildd.debian.org.list
| deb https://buildd.debian.org/apt/ wheezy main
I.e., I can use a local copy of the expected end-entity certificate to
authenticate a https server.
On jessie this no longer works:
} Err https://buildd.debian.org wheezy/main mipsel Packages
} server certificate verification failed. CAfile: /etc/ssl/servicecerts/buildd.debian.org.crt CRLfile: none
Instead, I have to trust the corresponding root certificate or an
intermediate (#771404).
I noticed a similar issue with git, where using the EE-certificate or an
intermediate as http.sslCAInfo fails to authenticate the server (#771170).
Is this intentional, or is that a bug in either gnutls, curl, or the software
using these libraries?
I suspect that other users of curl/gnutls might be affected as well, and that
saying "I only trust this exact certificate" is not a crazy and rare use-case.
Thus, I'd like to learn more here and ideally have this resolved for jessie.
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
More information about the Pkg-gnutls-maint
mailing list