<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #666;">
<a href="https://gitlab.com/rfmcas">Richard Frith-Macdonald</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1348">#1348</a>
</p>
<div class="md">
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">Unable to establish a connection ... the verification of the server certificate chain fails reporting an insecure algorithm in the root certificate when SECURE256 is used but not when SECURE128 is used.</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">Latest stable: 3.6.16</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">Built from source on CentOS-7 64bit</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">gnutls-cli --priority='SECURE256:!VERS-TLS1.0:!VERS-TLS1.1' --debug=1 smartpayivr1005.tstpaypoint.services:443</p>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p dir="auto">Processed 133 CA certificate(s).
Resolving 'smartpayivr1005.tstpaypoint.services:443'...
Connecting to '81.93.230.131:443'...</p>
<ul dir="auto">
<li>
<p>Certificate type: X.509</p>
</li>
<li>
<p>Got a certificate list of 3 certificates.</p>
</li>
<li>
<p>Certificate[0] info:</p>
</li>
<li>
<p>subject <code>CN=*.tstpaypoint.services,O=Paypoint Network LTD,L=Welwyn Garden City,C=GB', issuer </code>CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', serial 0x07468da604438a91d14e3e9e33d871b9, RSA key 2048 bits, signed using RSA-SHA256, activated <code>2022-01-07 00:00:00 UTC', expires </code>2023-01-07 23:59:59 UTC', pin-sha256="Sp1tIM1nUNyDQP/3hrC1AlibArWQRyILg0rUOEx0Z1M="
Public Key ID:
sha1:d65bd7a88a3f5a554375b033bb3cbc98903935a2
sha256:4a9d6d20cd6750dc8340fff786b0b502589b02b59047220b834ad4384c746753
Public Key PIN:
pin-sha256:Sp1tIM1nUNyDQP/3hrC1AlibArWQRyILg0rUOEx0Z1M=</p>
</li>
<li>
<p>Certificate[1] info:</p>
</li>
<li>
<p>subject <code>CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', issuer </code>CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x06d8d904d5584346f68a2fa754227ec4, RSA key 2048 bits, signed using RSA-SHA256, activated <code>2021-04-14 00:00:00 UTC', expires </code>2031-04-13 23:59:59 UTC', pin-sha256="RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc="</p>
</li>
<li>
<p>Certificate[2] info:</p>
</li>
<li>
<p>subject <code>CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer </code>CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x083be056904246b1a1756ac95991c74a, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated <code>2006-11-10 00:00:00 UTC', expires </code>2031-11-10 00:00:00 UTC', pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="</p>
</li>
<li>
<p>Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.</p>
</li>
</ul>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">Connection should be established ... I think the use of SECURE256 or SECURE128 should make no difference to the verification of the root certificate when that certificate provides a 2048 bit key.</p>
</div>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1348">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/87b7dd27a3596886391f1fc0b1e58ce2/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1348"}}</script>


</p>
</div>
</body>
</html>