Bug#976836: libgnutls30: 3.7.0-3 fails to connect on debian.ethz.ch

[Jonathan Ballet]

Package: libgnutls30
Version: 3.7.0-3
Severity: critical
Justification: breaks unrelated software

Dear Maintainer,

I updated gnutls to 3.7.0-3 this morning, then apt was unable to connect to
the Debian mirror https://debian.ethz.ch/debian/:

$ sudo apt update
Ign:1 https://debian.ethz.ch/debian sid InRelease
Err:2 https://debian.ethz.ch/debian sid Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 129.132.53.171 443]
Reading package lists... Done
E: The repository 'https://debian.ethz.ch/debian sid Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Using the gnutls client directly gives:

$ gnutls-cli debian.ethz.ch -p 443
Processed 126 CA certificate(s).
Resolving 'debian.ethz.ch:443'...
Connecting to '129.132.53.171:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=plattenberg.ethz.ch', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x03303e4ec324a9667915ae5fb3383255b202, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-17 13:03:43 UTC', expires `2021-02-15 13:03:43 UTC', pin-sha256="7qwNrAIqODvrEwByZ0mAMpm2PROcvYK/BNpYTBzSzfA="
Public Key ID:
sha1:3c05692d0390a10e4e7cc1a4881c82288b0f6d83
sha256:eeac0dac022a383beb1300726749803299b63d139cbd82bf04da584c1cd2cdf0
Public Key PIN:
pin-sha256:7qwNrAIqODvrEwByZ0mAMpm2PROcvYK/BNpYTBzSzfA=

- Certificate[1] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Certificate[2] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

Reverting to libgnutls30 3.6.15-4 seems to fix the problem.

Best,

 Jonathan


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.9.0-4-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libgnutls30 depends on:
ii  libc6          2.31-5
ii  libgmp10       2:6.2.1+dfsg-1
ii  libhogweed6    3.6-2
ii  libidn2-0      2.3.0-4
ii  libnettle8     3.6-2
ii  libp11-kit0    0.23.21-2
ii  libtasn1-6     4.16.0-2
ii  libunistring2  0.9.10-4

libgnutls30 recommends no packages.

Versions of packages libgnutls30 suggests:
ii  gnutls-bin  3.6.15-4

-- no debconf information