From: "Branko Grubić" <bitlord0xff@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] net-libs/gnutls-3.7.2 fails to verify some certificates (duplicate server certificate?)
Date: Tue, 23 Nov 2021 23:51:34 +0100 [thread overview]
Message-ID: <55782991b9f34d4184d8daf7cbd7d4a721f6b48d.camel@gmail.com> (raw)
In-Reply-To: <A2Y4FART.BM3IKSTH.URGJT2JV@OAL522X6.Z6XBKCZ6.KGESZWRV>
On Tue, 2021-11-23 at 17:26 -0500, Jack wrote:
> On 2021.11.23 14:43, Branko Grubić wrote:
> > Hi,
> > [1] https://gitlab.com/gnutls/gnutls/-/issues/1131
> OK, diff of your output to mine:
> 1,2c1,2
> < $ gnutls-cli distrowatch.com:443
> < Processed 130 CA certificate(s).
> ---
> > $gnutls-cli distrowatch.com:443
> > Processed 128 CA certificate(s).
> 21,23c21,29
> < - Status: The certificate is NOT trusted. The certificate issuer
> is
> unknown.
> < *** PKI verification of server certificate failed...
> < *** Fatal error: Error in the certificate.
> ---
> > - Status: The certificate is trusted.
> > - Description:
> > (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-
> > GCM)
> > - Session ID:
> > 83:62:97:D1:C0:77:19:76:F8:2F:41:7E:DD:CD:C5:A6:35:2A:5D:4C:39:B4:F
> > 5:12:CA:09:0F:07:26:BA:83:5F
> > - Options:
> > - Handshake was completed
> >
> > - Simple Client Mode:
> >
> > - Peer has closed the GnuTLS connection
>
> So I have two fewer CA Certs than you do, but somehow I know the
> issuer
> and you do not.
> I have app-misc/ca-certificates 20210119.3.66, but there are two ~
> versions. I wonder if something got dropped (whether intentionally
> or
> not.)
>
Hi,
Thanks for testing. Not happy that it's only me :D
I don't think my issue is related to ca-certificates, btw. I'm "fully"
on ~amd64 (unstable/testing).
Here is what's installed here:
app-misc/ca-certificates-20211016.3.72 -cacert
Also, as I said Let's Encrypt certificates from other sites work fine
with gnutls-cli (and other clients using gnutls), which have similar
certificate chain's (same, except the server certificate, same
intermediate and same "Root" certificate), so I don't think it's
related to a "missing trust".
Could be something specific to my system or ~arch (unstable), that some
library gnutls uses is causing issues (but I cannot remember now when
it started happening to pinpoint after which update it stopped
working).
Regards,
Branko
next prev parent reply other threads:[~2021-11-23 22:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-23 19:43 [gentoo-user] net-libs/gnutls-3.7.2 fails to verify some certificates (duplicate server certificate?) Branko Grubić
2021-11-23 22:14 ` Jack
2021-11-23 22:26 ` Jack
2021-11-23 22:51 ` Branko Grubić [this message]
2021-11-23 23:14 ` Jack
2021-11-26 10:37 ` Branko Grubić
2021-11-27 14:14 ` Branko Grubić
2021-11-28 5:51 ` [gentoo-user] " Branko Grubić
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55782991b9f34d4184d8daf7cbd7d4a721f6b48d.camel@gmail.com \
--to=bitlord0xff@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox