Joachim Breitner <nome...@debian.org> writes: > Package: libgnutls26 > Version: 2.4.2-5 > Severity: important > > Hi Andreas, > > with your recent upload of gnults, this signature of a host with a > recently generated cacert signature is no longer valid: > > $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile > /etc/ssl/certs/ca-certificates.crt ... > - Peer's certificate is NOT trusted
CACert's intermediate certificate is signed using RSA-MD5, so it won't pass GnuTLS chain verification logic. I've improved the error message, so now the above command will print: - Peer's certificate chain uses insecure algorithm - Peer's certificate is NOT trusted As a workaround, add the --insecure parameter. We should probably consider to back-port Donald's logic to short-circuit chain verification as soon as you have a trusted cert: then you could chose to trust CACerts intermediate cert, and then there is no need to rely on RSA-MD5 to trust this chain. I'll test if the patch would help in your situation. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
