Jonathan Nieder <[email protected]> writes:
> Hi GnuTLS maintainers,
>
> As mirabilos reports, verification of the alioth.debian.org
> certificates is failing, which means that commands such as
>
> git clone https://alioth.debian.org/anonscm/git/pkg-wml/pkg-wml.git
>
> fail. The problem is reproducible using gnutls-cli. Ideas?
It seems alioth.debian.org is configured incorrectly, the chain it is
sending isn't sorted in the right order:
j...@mocca:~$ gnutls-cli -V -p 443 alioth.debian.org
...
- Certificate[0] info:
Issuer: O=Debian,CN=ca.debian.org,[email protected]
Subject: O=Debian,CN=alioth.debian.org,[email protected]
Ok so that is the host certificate. The next cert needs to be the
ca.debian.org issuer:
- Certificate[1] info:
Issuer: C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,[email protected]
Subject: C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,[email protected]
However that certificate isn't the ca.debian.org cert, so the chain
validation fails. The next cert is:
- Certificate[2] info:
Issuer: C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,[email protected]
Subject: O=Debian,CN=ca.debian.org,[email protected]
That seems to be the cert that should have been the middle certificate.
Further, the second cert it is sending is a self-signed CA cert: it is
pointless to send that because if the receiver doesn't have it locally,
and trusts it, including it is not going to help the client.
So I don't see any GnuTLS bug here.
/Simon
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
