Bug#1007138: libgnutls30: fails on Let's Encrypt chains due to blacklisted expired root certificate

Andreas Metzler ametzler at bebt.de
Sat Mar 12 06:43:28 GMT 2022 

Control: tags -1 confirmed

On 2022-03-11 Paul Gevers <elbrus at debian.org> wrote:
> Package: libgnutls30
> Version: 3.7.3-4+b1
> Severity: normal

> Dear maintainers,

> Recently ca-certificates 20211016 migrated to testing which included
> the following change:

> * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)

[...]
> paul at mulciber ~ $ gnutls-cli ci.debian.net
> Processed 127 CA certificate(s).
> Resolving 'ci.debian.net:443'...
> Connecting to '52.34.117.196:443'...
> - Certificate type: X.509
> - Got a certificate list of 4 certificates.
> - Certificate[0] info:
>  - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
[...]
> - Certificate[1] info:
>  - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
[...]

Hello Paul,

thanks for the report. I think the DST Root CA X3 thingy is unrelated, I
rather suspect ci.debian.net changed.

ci.debian.net seems to be configured less than optimal, its cert-chain
contains junk (0=server cert, 1=server cert *again*, etc.). Removing the
duplicate server cert from the chain lets at least certtool --verify
succeed. I expect gnutls-cli would also succeed if ci.debian.net was
"improved".

And OTOH adding DSTRootCAX3.crt to the trusted set does not let
gnutls-cli succeed:

| gnutls-cli --x509cafile=/tmp/DSTRootCAX3.crt  ci.debian.net
[...]
|  - Status: The certificate is NOT trusted. The certificate chain uses expired certificate.

I am not claiming this is not a gnutls bug since iirc nowadays the
respective RFCs allow sending junk certificates in the chain and the
client is supposed to handle this.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list