Bug#961889: src:gnutls28: Fails building chains with expired intermediate regardless of trust store

Andreas Metzler ametzler at bebt.de
Sun May 31 05:17:57 BST 2020

X-Debbugs-Cc: severity -1 serious
X-Debbugs-Cc: found -1 3.6.7-1

On 2020-05-31 Chris Hofstaedtler <zeha at debian.org> wrote:
> Package: src:gnutls28
> Version: 3.6.7-4+deb10u3
> Severity: grave
> Justification: renders package unusable

> Hi,

> gnutls appears to fail building a certificate chain, if:
> - the server sends an alternate chain with an expired intermediate
> - a matching root is in the local trust store.

> I'm marking this grave, as GnuTLS doesn't seem to follow standards here,
> various other software just works, GnuTLS-using clients all break, and
> many many sites on the public Internet send the cross-signed
> certificate.


thanks for the report.

I disagree on the severity here, since only a very small minority of
internet servers provide alternative trust paths at all and out of these
only a small percentage send an alternative trust path using an expired
certificate. (Personally I would consider the latter a server-side 
configuration error.)

cu Andreas

`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list