Your message dated Sat, 15 Oct 2022 13:05:15 +0000 with message-id <[email protected]> and subject line Bug#1007138: fixed in gnutls28 3.7.8-3 has caused the Debian Bug report #1007138, regarding libgnutls30: fails to validate when there is junk in the cert chain, including duplicated server certs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1007138: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007138 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libgnutls30 Version: 3.7.3-4+b1 Severity: normal Dear maintainers, Recently ca-certificates 20211016 migrated to testing which included the following change: * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) As can be read here [1] Let's Encrypt certificates are signed by a certificate (1) that's signed by that blacklisted certificate. By now that intermediate certificate is wide spread as a trusted CA and indeed it's avaliable in Debian. However, since ca-certificates migrated, liferea, which uses libsoup which uses libgnutls30 fails to collect my rss feeds from ci.debian.net. This seems to only be a problem with libgnutls30, as firefox-esr and curl work just fine. (wget also uses libgnutls30 and fails). It seems that until ca-certificates migrated libgnutls30 just fell back to the expired certificate. Paul paul@mulciber ~ $ openssl x509 -in /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Validity Not Before: Jun 4 11:04:38 2015 GMT Not After : Jun 4 11:04:38 2035 GMT Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1 <cut here> paul@mulciber ~ $ gnutls-cli ci.debian.net Processed 127 CA certificate(s). Resolving 'ci.debian.net:443'... Connecting to '52.34.117.196:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=" Public Key ID: sha1:344bd3eb5105d3b830dd87f6f5e4435e8aacdf6d sha256:ad60bf96ef3f8a50d84279e45abf4950fdd3852ae9e4f8b4f211575afde1effa Public Key PIN: pin-sha256:rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o= - Certificate[1] info: - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=" - Certificate[2] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Certificate[3] info: - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.16.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libgnutls30 depends on: ii libc6 2.33-7 ii libgmp10 2:6.2.1+dfsg-3 ii libhogweed6 3.7.3-1 ii libidn2-0 2.3.2-2 ii libnettle8 3.7.3-1 ii libp11-kit0 0.24.0-6 ii libtasn1-6 4.18.0-4 ii libunistring2 1.0-1 libgnutls30 recommends no packages. Versions of packages libgnutls30 suggests: ii gnutls-bin 3.7.3-4+b1 -- no debconf information
--- End Message ---
--- Begin Message ---Source: gnutls28 Source-Version: 3.7.8-3 Done: Andreas Metzler <[email protected]> We believe that the bug you reported is fixed in the latest version of gnutls28, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <[email protected]> (supplier of updated gnutls28 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 15 Oct 2022 13:51:15 +0200 Source: gnutls28 Architecture: source Version: 3.7.8-3 Distribution: experimental Urgency: low Maintainer: Debian GnuTLS Maintainers <[email protected]> Changed-By: Andreas Metzler <[email protected]> Closes: 1007138 Changes: gnutls28 (3.7.8-3) experimental; urgency=low . * 50_Fix-removal-of-duplicate-certs-during-verification.patch frpm https://gitlab.com/gnutls/gnutls/-/merge_requests/1653 fixes chain verification error on duplicate server cert in chain. Closes: #1007138 Checksums-Sha1: 65b4052c79368a192bd3daacefa6a4975da457e5 3445 gnutls28_3.7.8-3.dsc 7738ba6d7ff0a22709858ebacf702c16f82389ca 68892 gnutls28_3.7.8-3.debian.tar.xz Checksums-Sha256: 0f3ce8285d08531df457c4b9510de6de2c772e3cbade049001846ac30d81a92f 3445 gnutls28_3.7.8-3.dsc f0e1faa61cb6d0331c03160435b54a24ffe29ecb0026ee50013826bb7b829b88 68892 gnutls28_3.7.8-3.debian.tar.xz Files: 470cdf4aeadf7e0f960fffd0bec76c37 3445 libs optional gnutls28_3.7.8-3.dsc 569da517bf6e29804f8f65916dc0e008 68892 libs optional gnutls28_3.7.8-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmNKqjwACgkQpU8BhUOC FISfAQ//QA5WOh+IjFCmlbELsrS+Z5gamdR7vjSWnaYTr5J6H3w4VFo3/YMI7bsN BQ66vRV50ARgPYzMQL99u342tGfpZrXNHkJ+mna94LIFFOyb2Lnrh7Tq1bdMdzJe 8vixJD4C2GB3kcbMwFB8DIV2Ua0DFz0ahxOxMa48DJAo2En1yH6nXeKB9Xm20Kf4 ROYND1gVW4lng3QO4lwvsqDvzWb4yjmO1svJXsa3ID3ScEalh8bJduyDWVIdtadN YXt9fNIUhhUnAYO052LFRk09kJez5kYdYp+cewTl/iYywYk241kRGCxai5E9RY30 BctFMbudXP1teI2n+WfAjg/wwTmQlkopatX56aONDDliSq7kNc1elp2wtsohEQOZ 3ZAoNBPF3ipp2K14JugNVG2Y+JwrNbH8QCwsmRU5t2cAI2+wXtRxO7U52Kb3o0+h QfxhTAS/DZp6wRb8wu9YCa/OYjK17sV1tqVvOjVhnWBfdriQgia108dtjgJHJH4j KBIzFYG4b1CPR1ftnu6kO0s8vxzfCZZbttPkYXm9fNreTcsmW16U0qtu+/6UWFFe 1qq7rR5SSSBJjifhzfjxR+4T6IUXDLGF9muNbkkPcqO467d81ykDO6j1leMiDK4f l0H0mNSBxUnfqbgdO6tuCLh/oapq13402/TD9oFWH30p80cezDM= =vw4f -----END PGP SIGNATURE-----
--- End Message ---
