# dpkg-query -W gnutls-bin libgnutls30 gnutls-bin 3.5.18-1ubuntu1.4 libgnutls30:amd64 3.5.18-1ubuntu1.4
# gnutls-cli --x509cafile=ca.pem expired-root-ca-test.germancoding.com Processed 2 CA certificate(s). Resolving 'expired-root-ca-test.germancoding.com:443'... Connecting to '2a01:4f8:151:506c::2:443'... ... *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate. # faketime 2021-10-01 gnutls-cli canonical.com Processed 129 CA certificate(s). Resolving 'canonical.com:443'... Connecting to '2001:67c:1360:8001::2b:443'... ... - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate. Upgrading gnutls # dpkg-query -W gnutls-bin libgnutls30 gnutls-bin 3.5.18-1ubuntu1.5 libgnutls30:amd64 3.5.18-1ubuntu1.5 # gnutls-cli --x509cafile=ca.pem expired-root-ca-test.germancoding.com </dev/null Processed 2 CA certificate(s). Resolving 'expired-root-ca-test.germancoding.com:443'... Connecting to '2a01:4f8:151:506c::2:443'... ... - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) - Session ID: 04:95:FF:FD:DF:83:B3:E2:3B:00:83:B7:FA:8B:4C:7D:CB:7A:CE:F4:ED:C6:50:62:A7:EF:07:4C:56:FA:91:A9 - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA256 - Cipher: AES-256-GCM - MAC: AEAD - Compression: NULL - Options: extended master secret, safe renegotiation, OCSP status request, - Handshake was completed - Simple Client Mode: # faketime 2021-10-01 gnutls-cli canonical.com Processed 129 CA certificate(s). Resolving 'canonical.com:443'... Connecting to '2001:67c:1360:8001::2c:443'... ... - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) - Session ID: 6D:77:C1:D6:9B:F3:5F:97:19:D2:AF:AD:8E:8A:1C:7F:9E:2F:9E:D2:80:77:EE:82:D1:F7:1F:F4:F2:1D:50:E5 - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA256 - Cipher: AES-256-GCM - MAC: AEAD - Compression: NULL - Options: extended master secret, safe renegotiation, - Handshake was completed - Simple Client Mode: All is good on bionic. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1928648 Title: expiring trust anchor compatibility issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
