Public bug reported: I noticed recently that landscape-client could no longer contact our staging server. Fortunately, contacting the production server is still ok.
This command is an easy way to reproduce the problem. It is failing against staging.landscape.canonical.com: gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt staging.landscape.canonical.com I tried it in dapper, feisty, gutsy, hardy and intrepid. It only works in feisty, and I'm guessing it's because feisty is EOL'ed and didn't get an update. I concentrated the rest of my tests in dapper. With libgnutls12_1.2.9-2ubuntu1_i386.deb it works. With libgnutls12_1.2.9-2ubuntu1.3_i386.deb it breaks. Here is the chain as seen by gnutls against staging.landscape.canonical.com: [0] Subject's DN: O=*.landscape.canonical.com,OU=Domain Control Validated,CN=*.landscape.canonical.com Issuer's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287 [1] Subject's DN: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287 Issuer's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority [2] Subject's DN: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,[EMAIL PROTECTED] [3] Subject's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,[EMAIL PROTECTED] Issuer's DN: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,[EMAIL PROTECTED] Notice that the last certificate in the chain is the CA certificate, which is self signed. I wonder if the recent security fix broke that: - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate if it is self-signed in lib/x509/verify.c Here is openssl's chain against the same site (staging): Certificate chain 0 s:/O=*.landscape.canonical.com/OU=Domain Control Validated/CN=*.landscape.canonical.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[EMAIL PROTECTED] 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[EMAIL PROTECTED] i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[EMAIL PROTECTED] Openssl's s_client tool works, btw. ** Affects: landscape Importance: High Status: New ** Affects: landscape-client Importance: Undecided Status: New ** Affects: gnutls12 (Ubuntu) Importance: Undecided Status: New ** Also affects: landscape Importance: Undecided Status: New ** Changed in: landscape Importance: Undecided => Critical Target: None => mountainview-pre-2 ** Changed in: landscape Importance: Critical => High ** Also affects: landscape-client Importance: Undecided Status: New -- gnutls regression: failure in certificate chain validation https://bugs.launchpad.net/bugs/305264 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs