Bug#961889: src:gnutls28: Fails building chains with expired intermediate regardless of trust store

Chris Hofstaedtler zeha at debian.org
Sat May 30 23:53:09 BST 2020

Package: src:gnutls28
Version: 3.6.7-4+deb10u3
Severity: grave
Justification: renders package unusable


gnutls appears to fail building a certificate chain, if:
- the server sends an alternate chain with an expired intermediate
- a matching root is in the local trust store.

This was found because the "AddTrust External CA Root" [1] expired today,
and it was used - a long time ago - to cross-sign the "USERTrust RSA
Certification Authority" Root CA. When a server sends the cross-signed
certificate, gnutls thinks the entire chain is invalid, even though the
not-expired root is contained in its trust store.


    $ gnutls-cli apt.puppet.com:443
    Processed 129 CA certificate(s).
    Resolving 'apt.puppet.com:443'...
    Connecting to '2600:9000:2043:2200:1d:fc37:1cc0:93a1:443'...
    - Certificate type: X.509
    - Got a certificate list of 3 certificates.
    - Certificate[0] info:
     - subject `CN=apt.puppet.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated', issuer `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial 0x00d50b93f3f071150e62d87aee147a1520, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-18 00:00:00 UTC', expires `2020-07-18 23:59:59 UTC', pin-sha256="oBlhqVlMzd0j01OweaExY7LRykSLER7Cyml3qM9Rp4M="
        Public Key ID:
        Public Key PIN:

    - Certificate[1] info:
     - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 23:59:59 UTC', pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4="
    - Certificate[2] info:
     - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4="
    - Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
    *** PKI verification of server certificate failed...
    *** Fatal error: Error in the certificate.

Note that modern browsers, and OpenSSL 1.1.1 has no problem with this

Obviously, this also breaks APT.

I'm marking this grave, as GnuTLS doesn't seem to follow standards here,
various other software just works, GnuTLS-using clients all break, and
many many sites on the public Internet send the cross-signed


[1] https://crt.sh/?id=1

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Pkg-gnutls-maint mailing list