[Help-gnutls] Certificate verification failed

[Nikos Mavrogiannopoulos]

On Wednesday 26 October 2005 22:31, Dima Barsky wrote:
> Hello,
> I have a small python application which uses pycurl to
> download my bank statements every week. I was using
> pycurl built with openssl until recently and the
> application worked fine. A few days ago I upgraded the
> pycurl and the libcurl packages (they are now built with GnuTLS 1.2.8)
> and the application stopped working, it does not accept the bank's
> certificate any more. This small script illustrates the problem:

Hi,
 I've run this server's certificates through certtool:

$ certtool -e -d 2 <list

[...]

Certificate[1]: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign 
International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref. 
LIABILITY LTD.(c)97 VeriSign
        Issued by: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign 
International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref. 
LIABILITY LTD.(c)97 VeriSign
        Verifying against certificate[2].
|<2>| ASSERT: verify.c:129
|<2>| ASSERT: verify.c:252
        Verification output: Not verified, Issuer is not a CA.
^^^^^^^^^^^^
This can be solved by upgrading your libcurl.


Certificate[2]: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification 
Authority
        Issued by: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary 
Certification Authority
|<1>| verify.c: HASH OID: 1.2.840.113549.2.2
|<2>| ASSERT: verify.c:447
|<2>| ASSERT: verify.c:496
|<2>| ASSERT: verify.c:568
|<2>| ASSERT: verify.c:282
        Verification output: Not verified.
^^^^^^^^^^^^
This cannot be solved. This certificate uses MD2 which is not included in 
libgcrypt as yet. I don't know if there are plans to include it in the future 
though.

Anyway MD2 is an old and broken algorithm and should not be used for signing 
certificates.


-- 
Nikos Mavrogiannopoulos