[gnutls-devel] Unable to trust server certificate instead of issueing CA
Andreas Metzler
ametzler at bebt.de
Wed Dec 3 20:01:25 CET 2014
Hello,
This came up on d-d
<http://article.gmane.org/gmane.linux.debian.devel.general/199833>:
With gnutls 3.3.* it seems to be impossible to trust server
certificate instead of the signing authority:
--------------------------------------------
ametzler at argenau:~$ gnutls-cli --x509cafile=/tmp/GNUTLS/buildd.debian.org.pem buildd.debian.org
Processed 1 CA certificate(s).
Resolving 'buildd.debian.org'...
Connecting to '5.153.231.18:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `OU=Domain Control Validated,OU=Gandi Standard SSL,CN=buildd.debian.org', issuer `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', RSA key 3072 bits, signed using RSA-SHA1, activated `2013-12-31 00:00:00 UTC', expires `2014-12-31 23:59:59 UTC', SHA-1 fingerprint `2cdbdc8f013e50e9834cbdca02ecaea7f3982ed4'
Public Key ID:
787e4e3917a1f7f8962f10ea72a89e6dee922952
Public key's random art:
+--[ RSA 3072]----+
| |
| |
| . |
| . ... |
| . S ..o. |
| E o .o.+ |
| . o.o= o... |
| . . +o++oo .+ |
| . o+*+o. ..o.|
+-----------------+
- Certificate[1] info:
- subject `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', issuer `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-10-23 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `a9f79883a075ce82d20d274d1368e876140d33b3'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
--------------------------------------------
This used to work in 2.x. Is this an intentional change?
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel
mailing list