[gnutls-help] certificate issuer validation issue

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Aug 18 19:45:24 CEST 2015


On Fri, 2015-08-14 at 16:27 +0200, Andreas Müller wrote:
> >The best would be to report that to debian instead. In any case,
> > what
> > is the certificate chain that cannot be validated? Do you know 
> > which
> > CA certificates were removed by the update?
> > 
> > regards,
> > Nikos
> Debian basically get's the bundle from mozilla and it seems that one 
> of the certificates in the chain has been removed indeed.

> CN = Thawte Premium Server CA
> SHA1 Fingerprint: 
> 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
> (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out
> -certificates-with-1024-bit-rsa-keys/)

Mozilla has removed the 1024-bit CAs, however, it gnutls (3.3.x+) is
capable of detecting an alternative path.

In my debian (testing) system, certtool --verify and this chain gives:

	Subject: C=US,O=thawte\, Inc.,OU=Certification Services
Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte
Primary Root CA
	Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server CA,
EMAIL=premium-server at thawte.com
	Output: Not verified. The certificate is NOT trusted. The
certificate issuer is unknown. 

	Subject: C=US,O=thawte\, Inc.,OU=Certification Services
Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte
Primary Root CA
	Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server CA,
EMAIL=premium-server at thawte.com
	Checked against: C=US,O=thawte\, Inc.,OU=Certification
Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use
only,CN=thawte Primary Root CA
	Output: Verified. The certificate is trusted. 

	Subject: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA
	Issuer: C=US,O=thawte\, Inc.,OU=Certification Services
Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte
Primary Root CA
	Checked against: C=US,O=thawte\, Inc.,OU=Certification
Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use
only,CN=thawte Primary Root CA
	Output: Verified. The certificate is trusted. 

	Subject: C=DE,ST=NRW,L=Duesseldorf,O=Vodafone D2
GmbH,CN=pop3.arcor.de
	Issuer: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA
	Checked against: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA
	Output: Verified. The certificate is trusted. 

Chain verification output: Verified. The certificate is trusted. 


To verify the chain gnutls tries first to find the 1024-bit CA called
"C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server CA,
EMAIL=premium-server at thawte.com"

Since that is not available it tries to find the issuer of the next
certificate in the chain which is:
"C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006
thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA"

And indeed there is a new CA which signs that certificate (see the
"Checked against" entry).

What do you see in your system for the same command?

regards,
Nikos





More information about the Gnutls-help mailing list