[gnutls-help] certificate issuer validation issue
Andreas Müller
andreas at stapelspeicher.org
Wed Aug 19 00:15:23 CEST 2015
Nikos Mavrogiannopoulos wrote:
> On Fri, 2015-08-14 at 16:27 +0200, Andreas Müller wrote:
> > >The best would be to report that to debian instead. In any case,
> > > what
> > > is the certificate chain that cannot be validated? Do you know
> > > which
> > > CA certificates were removed by the update?
> > >
> > > regards,
> > > Nikos
> > Debian basically get's the bundle from mozilla and it seems that one
> > of the certificates in the chain has been removed indeed.
>
> > CN = Thawte Premium Server CA
> > SHA1 Fingerprint:
> > 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
> > (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out
> > -certificates-with-1024-bit-rsa-keys/)
>
> Mozilla has removed the 1024-bit CAs, however, it gnutls (3.3.x+) is
> capable of detecting an alternative path.
>...
> In my debian (testing) system, certtool --verify and this chain gives:
>...
> What do you see in your system for the same command?
Hmm, the same output (with 3.3.17) as yours. I am sorry, I probably made
some mistake while testing 3.3.* and 3.4.* and continued checking with
3.2.21 (because of presumed abi/api-changes), which didn't have that
alternative path searching feature.
I don't encounter any problems with 3.3.17 anymore.
That mistake might have been the wrong URL for the certificate but I
don't have logs on that.
Sorry for wasting your time and thanks for clarification.
At least I might've learned a thing or two on gnutls and bug-hunting
documentation.
Andreas Müller
More information about the Gnutls-help
mailing list