On Fri, 2015-08-14 at 16:27 +0200, Andreas Müller wrote: > >The best would be to report that to debian instead. In any case, > > what > > is the certificate chain that cannot be validated? Do you know > > which > > CA certificates were removed by the update? > > > > regards, > > Nikos > Debian basically get's the bundle from mozilla and it seems that one > of the certificates in the chain has been removed indeed.
> CN = Thawte Premium Server CA > SHA1 Fingerprint: > 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A > (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out > -certificates-with-1024-bit-rsa-keys/) Mozilla has removed the 1024-bit CAs, however, it gnutls (3.3.x+) is capable of detecting an alternative path. In my debian (testing) system, certtool --verify and this chain gives: Subject: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA, [email protected] Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA, [email protected] Checked against: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Output: Verified. The certificate is trusted. Subject: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA Issuer: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Checked against: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Output: Verified. The certificate is trusted. Subject: C=DE,ST=NRW,L=Duesseldorf,O=Vodafone D2 GmbH,CN=pop3.arcor.de Issuer: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA Checked against: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. To verify the chain gnutls tries first to find the 1024-bit CA called "C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA, [email protected]" Since that is not available it tries to find the issuer of the next certificate in the chain which is: "C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA" And indeed there is a new CA which signs that certificate (see the "Checked against" entry). What do you see in your system for the same command? regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
