curl and certificate verification in jessie
Alessandro Ghedini
ghedo at debian.org
Sat Nov 29 14:26:16 UTC 2014
[ not sure what's the point of CCing debian-devel, but I kept it. I removed Ian
from the chain though, since he hasn't been much involved with curl lately ]
On sab, nov 29, 2014 at 01:10:20 +0100, Peter Palfrader wrote:
> Hi,
>
> I recently started to move parts of debian.org's infrastructure to jessie. I
> noticed a regression with software using curl to do https with certificate
> verification.
>
> On wheezy, this works:
>
> | weasel at mipsel-manda-01:~$ cat /etc/apt/apt.conf.d/puppet-https-buildd
> | Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt";
> | weasel at mipsel-manda-01:~$ tail -n1 /etc/apt/sources.list.d/buildd.debian.org.list
> | deb https://buildd.debian.org/apt/ wheezy main
>
> I.e., I can use a local copy of the expected end-entity certificate to
> authenticate a https server.
>
> On jessie this no longer works:
>
> } Err https://buildd.debian.org wheezy/main mipsel Packages
> } server certificate verification failed. CAfile: /etc/ssl/servicecerts/buildd.debian.org.crt CRLfile: none
I assume that this is using apt-transport-https, which in turn uses
libcurl3-gnutls.
> Is this intentional, or is that a bug in either gnutls, curl, or the software
> using these libraries?
AFAICT this is due to the gnutls26 -> gnutls28 switch. Using libgnutls-dev to
build curl instead of libgnutls28-dev makes it possible to point CURLOPT_CAINFO
to a single leaf certificate and have the verification succeed.
FWIW the current behaviour is the same with openssl. I don't know if there's a
reason for it though.
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20141129/e96178b0/attachment.sig>
More information about the Pkg-gnutls-maint
mailing list