Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more

Tomas Mraz tmraz at redhat.com
Thu Dec 4 10:16:08 CET 2008


On Thu, 2008-12-04 at 09:58 +0100, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> 
> > Andreas Metzler wrote:
> >> On 2008-12-03 Michael Kiefer <Michael-Kiefer at web.de> wrote:
> >>> Package: libgnutls26
> >>> Version: 2.4.2-3
> >>> Severity: important
> >> 
> >>> Since I updated libgnutls26 from 2.4.2-1 to 2.4.2-3 kMyMoney2 does
> >>> not connect to my bank any more.  When I run gnutls-cli --insecure
> >>> -p 443 hbci-pintan-rp.s-hbci.de -d 4711 --print-cert it says
> >> 
> >>> - Peer's certificate issuer is unknown
> >>> - Peer's certificate is NOT trusted
> >> [...]
> >> 
> >> FWIW adding or dropping
> >> http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/patches/20_GNUTLS-SA-2008-3.patch?op=file&rev=0&sc=0
> >> indeed makes
> >> 
> >> gnutls-cli  -p 443 hbci-pintan-rp.s-hbci.de --x509cafile \
> >> /etc/ssl/certs/ca-certificates.crt
> >
> > It seems to me that MD2 is missing from newer gnutls and this is the
> > reason why it fails. libgcrypt has the MD2 enumeration but not the
> > actual implementation and this tricked me into removing the included
> > md2. I will try to revert the old behavior of using an included version
> > of md2.
> 
> I don't think MD2 should be required here: chain verification should not
> need to verify the RSA-MD2 self-signature in the CA cert, because that
> cert is marked as trusted.
> 
> If there were other MD2 signatures involved, verification should
> definitely fail, but that doesn't seem to be the case with this chain.
> 
> It seems this problem is caused by the chain validation algorithm now
> also look at the CA cert, but it didn't before the GNUTLS-SA-2008-3
> patch.

Yes, this is caused by removing the code for removal of the last
self-signed certificate from the chain validation after fixing the
segfault in the original patch.

I had proposed to just adjust the condition for the removal so the code
would not segfault on sites with self-signed site certificate but
instead the whole removal code was deleted.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb






More information about the Gnutls-devel mailing list