[Pkg-haskell-maintainers] Bug#701593: Bug#702151: RM: haskell-tls-extra/0.4.6.1-1

[Joey Hess]

Attached are minimal patches that seem to work. The haskell-certificate
change is direct from upstream git rev a156d857189fc880f7d0a2de3310e750994c766b, 
like vincenthz suggested. The minor haskell-tls-extra change mirrors what's
currently in upstream too.

I've tested using tls-debug's tls-retrievecertificate --verify -c, and
it looks correct both for sites with a valid trust chain
(www.google.com, www.box.com), as well as failing properly for sites
with self-signed and non-valid CAs (dev.mutt.org, munin.varnish-software.com).

The only site it doesn't seem to like that I've found is db.debian.org,
which Chromium says has a valid chain, but this fails for:

joey at wren:~/tmp/tls-debug-0.1.1>dist/build/tls-retrievecertificate/tls-retrievecertificate -d db.debian.org --verify -c
connecting to db.debian.org on port 443 ...
###### Certificate 1 ######
serial:   98
issuer:   [([1,2,840,113549,1,9,1],(IA5,"debian-admin at debian.org")),([2,5,4,3],(Printable,"ca.debian.org")),([2,5,4,10],(Printable,"Debian"))]
subject:  [([1,2,840,113549,1,9,1],(IA5,"debian-admin at debian.org")),([2,5,4,3],(Printable,"db.debian.org")),([2,5,4,10],(Printable,"Debian"))]
validity: (2013-03-01,31765s,True) to (2014-03-01,31765s,True)
###### Certificate 2 ######
serial:   3
issuer:   [([1,2,840,113549,1,9,1],(IA5,"hostmaster at spi-inc.org")),([2,5,4,3],(Printable,"Certificate Authority")),([2,5,4,6],(Printable,"US")),([2,5,4,7],(Printable,"Indianapolis")),([2,5,4,8],(Printable,"Indiana")),([2,5,4,10],(Printable,"Software in the Public Interest")),([2,5,4,11],(Printable,"hostmaster"))]
subject:  [([1,2,840,113549,1,9,1],(IA5,"debian-admin at debian.org")),([2,5,4,3],(Printable,"ca.debian.org")),([2,5,4,10],(Printable,"Debian"))]
validity: (2008-05-13,33200s,True) to (2018-05-10,33200s,True)
###### Certificate 3 ######
serial:   16757532242060383272
issuer:   [([1,2,840,113549,1,9,1],(IA5,"hostmaster at spi-inc.org")),([2,5,4,3],(Printable,"Certificate Authority")),([2,5,4,6],(Printable,"US")),([2,5,4,7],(Printable,"Indianapolis")),([2,5,4,8],(Printable,"Indiana")),([2,5,4,10],(Printable,"Software in the Public Interest")),([2,5,4,11],(Printable,"hostmaster"))]
subject:  [([1,2,840,113549,1,9,1],(IA5,"hostmaster at spi-inc.org")),([2,5,4,3],(Printable,"Certificate Authority")),([2,5,4,6],(Printable,"US")),([2,5,4,7],(Printable,"Indianapolis")),([2,5,4,8],(Printable,"Indiana")),([2,5,4,10],(Printable,"Software in the Public Interest")),([2,5,4,11],(Printable,"hostmaster"))]
validity: (2008-05-13,29276s,True) to (2018-05-11,29276s,True)
### certificate chain trust
chain validity : rejected: CertificateRejectOther "certificate is not allowed to sign another certificate"
time validity : accepted

However, the most recent upstream versions of tls-* behave identically,
so if this is a bug, it's a separate one. I've let upstream know.

Can someone get the packages updated with these patches and the binnmus
scheduled?

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: haskell-certificate.patch
Type: text/x-diff
Size: 1500 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-haskell-maintainers/attachments/20130310/acc2b704/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: haskell-tls-extra.patch
Type: text/x-diff
Size: 720 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-haskell-maintainers/attachments/20130310/acc2b704/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-haskell-maintainers/attachments/20130310/acc2b704/attachment.pgp>