Public bug reported: libcurl3-gnutls 7.35.0-1ubuntu2.17 fails to verify remote certificate if the certificate chain provided is out-of-order. This is caused by libgnutls-dev package dependency, since libgnutls26 package is apparently long known to have this issue: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1373422
This bug can be observed with git, which depends on libcurl3-gnutls: git clone https://gnunet.org/git/libmicrohttpd.git/ Cloning into 'libmicrohttpd'... fatal: unable to access 'https://gnunet.org/git/libmicrohttpd.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none libgnutls28 package fixes this issue, since out-of-order certificate chains are allowed in that package. I am not very familiar with debian packaging process, so I was wondering if it is possible at all to bump dependency of libcurl3-gnutls from libgnutls-dev -> libgnutls28-dev for trusty. libgnutls28-dev conflicts with libgnutls-dev. At first sight, one of dependencies of libcurl3-gnutls-dev, lbrtmp-dev, also depends on libgnutls-dev. So, again I am not sure if this change is applicable or it causes nontrivial reverse-dependency issues. Given above bug filed against gnutls26 is still open after 4 years, I thought it might be easier to solve it on libcurl dependencies. (Is it?) Thanks. ** Affects: curl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/1796712 Title: libcurl3-gnutls in trusty fails to verify certificates when certificate chain is out-of-order Status in curl package in Ubuntu: New Bug description: libcurl3-gnutls 7.35.0-1ubuntu2.17 fails to verify remote certificate if the certificate chain provided is out-of-order. This is caused by libgnutls-dev package dependency, since libgnutls26 package is apparently long known to have this issue: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1373422 This bug can be observed with git, which depends on libcurl3-gnutls: git clone https://gnunet.org/git/libmicrohttpd.git/ Cloning into 'libmicrohttpd'... fatal: unable to access 'https://gnunet.org/git/libmicrohttpd.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none libgnutls28 package fixes this issue, since out-of-order certificate chains are allowed in that package. I am not very familiar with debian packaging process, so I was wondering if it is possible at all to bump dependency of libcurl3-gnutls from libgnutls-dev -> libgnutls28-dev for trusty. libgnutls28-dev conflicts with libgnutls-dev. At first sight, one of dependencies of libcurl3-gnutls-dev, lbrtmp-dev, also depends on libgnutls-dev. So, again I am not sure if this change is applicable or it causes nontrivial reverse-dependency issues. Given above bug filed against gnutls26 is still open after 4 years, I thought it might be easier to solve it on libcurl dependencies. (Is it?) Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1796712/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
