Bug#961889: src:gnutls28: Fails building chains with expired intermediate regardless of trust store
Andreas Metzler
ametzler at bebt.de
Sun May 31 05:17:57 BST 2020
X-Debbugs-Cc: severity -1 serious
X-Debbugs-Cc: found -1 3.6.7-1
On 2020-05-31 Chris Hofstaedtler <zeha at debian.org> wrote:
> Package: src:gnutls28
> Version: 3.6.7-4+deb10u3
> Severity: grave
> Justification: renders package unusable
> Hi,
> gnutls appears to fail building a certificate chain, if:
> - the server sends an alternate chain with an expired intermediate
> - a matching root is in the local trust store.
[...]
> I'm marking this grave, as GnuTLS doesn't seem to follow standards here,
> various other software just works, GnuTLS-using clients all break, and
> many many sites on the public Internet send the cross-signed
> certificate.
Hello,
thanks for the report.
I disagree on the severity here, since only a very small minority of
internet servers provide alternative trust paths at all and out of these
only a small percentage send an alternative trust path using an expired
certificate. (Personally I would consider the latter a server-side
configuration error.)
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list