Bug#885127: GnuTLS update breaks self-signed certificates
Rémi Denis-Courmont
remi at remlab.net
Fri Dec 29 12:38:14 UTC 2017
reassign 885127 libgnutls30
found 885127 3.5.16-1
affects 885127 vlc
tags 885127 + upstream confirmed
thanks
Hello,
The version of GnuTLS in Debian incorrectly flags self-signed certificates as
insecure certificate chain algorithm. This makes no sense; the flag is for
certificate chains using insecure algorithms such as MD2, MD5 and SHA-1.
This is reproducible also with gnutls-bin (both with Debian and upstream
GnuTLS):
# gnutls-cli self-signed.badssl.com
Processed 148 CA certificate(s).
Resolving 'self-signed.badssl.com:443'...
Connecting to '104.154.89.105:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US',
issuer `CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US', serial
0x0086fb4dc8e5dd0f18, RSA key 2048 bits, signed using RSA-SHA256, activated
`2016-08-08 21:17:05 UTC', expires `2018-08-08 21:17:05 UTC', pin-
sha256="9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8="
Public Key ID:
sha1:7965dfc93c6ae6fe8381ec482216ec44ef47282a
sha256:f522e496c72fccc623f1ffb9da5a79cdefe16340851f22d23d0cd2a58608066f
Public Key PIN:
pin-sha256:9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8=
Public key's random art:
+--[ RSA 2048]----+
| |
| . |
| o . . o |
| = o o o .o..|
| + + S o . .=.|
| E . + o + o .. .|
| . . . + o +o |
| . .+. . |
| .o...|
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
The certificate chain uses insecure algorithm.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
--
Rémi Denis-Courmont
More information about the pkg-multimedia-maintainers
mailing list