From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-197430-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id DDBA8158086
	for <garchives@archives.gentoo.org>; Fri, 26 Nov 2021 10:38:06 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 07937E083E;
	Fri, 26 Nov 2021 10:37:58 +0000 (UTC)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 02808E07EC
	for <gentoo-user@lists.gentoo.org>; Fri, 26 Nov 2021 10:37:56 +0000 (UTC)
Received: by mail-ed1-x52d.google.com with SMTP id y12so36869829eda.12
        for <gentoo-user@lists.gentoo.org>; Fri, 26 Nov 2021 02:37:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:subject:from:to:date:in-reply-to:references:user-agent
         :mime-version:content-transfer-encoding;
        bh=k2TsWddLEwdS5s5k6XHJh+UT++htZyPHyjDopFg6qZQ=;
        b=SVVC+AohJF8YlEcTP9hnX0jHtqHkQe6KRL5UrukVttZkM5dXBg0RWz+CYWDbYz3g2H
         CbUBVFuZT7mwP4vG7CEA/YpTP3bYHpDQNHL3aprWHRojzj20xR2+6NdPn0aLO3wnG/0A
         ObduMfSkko5Cur8rupfER8nIopnxHVzNjiVZHTyswo+Xey2StyncU4I7uf5LPiOzOugF
         Qmo/ZjdhxTMz5mxHjMen7MHmK4UTRtfKz9trC08dvOpIZ0lm2O8vziLoYjK0mcYwN+oR
         OzcKNXcsHiFhLxbv9LLJcJP8XdMgq9ce/xMt62fdgxwfWsaoEr4GteqSh9RJSqwvAn4s
         w42Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
         :references:user-agent:mime-version:content-transfer-encoding;
        bh=k2TsWddLEwdS5s5k6XHJh+UT++htZyPHyjDopFg6qZQ=;
        b=ua6Hq5GM28FQFVHLq6E57kfDNYbpObXyHu6z7uduhEGzMP5friKJUpWDWadChKq9mk
         sbJGm4qdQNrkHJQyTyZtim/qqUoefFH2yl1Jd8EsLheEVMfccQNlnCtCaW921QB5hdxd
         sDeNkhWJIuze1coPkPEaseB7PiQa7g4vH7SE9mPamM4RwK4vehjNQUlC9VUxUBEojocP
         W+n1mgrWmPFMgm3fHZr51wTTkd4PSIs4lzhJjGLgOzcQxUg0/vX/i4tKR964LjaERD/j
         tBeplka3eyYo1USxfgUYQdhm8e6cW+YFqAGD4L7vH4ZeHvOnGGjQIwIWItm3QP8LIaFR
         PmUA==
X-Gm-Message-State: AOAM531flaE1aTKMt2JeK1OHc4C2t+n6drI2cMcTz/fkhv+qzPbcU8Y1
	xECxPcMQY0z8ZlX3i0GZfk7j1IOyprs=
X-Google-Smtp-Source: ABdhPJy752KnbngSN6klCgVsZS1n4MoFZ/jvP1BlLAeeadvdmWcE1urW/svO/nt3Zl3Go83allmKHw==
X-Received: by 2002:a17:907:8a1b:: with SMTP id sc27mr38593631ejc.572.1637923075597;
        Fri, 26 Nov 2021 02:37:55 -0800 (PST)
Received: from precision.linux.gnu ([109.245.95.217])
        by smtp.gmail.com with ESMTPSA id q7sm3462428edr.9.2021.11.26.02.37.54
        for <gentoo-user@lists.gentoo.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 26 Nov 2021 02:37:55 -0800 (PST)
Message-ID: <927a5fb02c0347666e3c018f115a4f1c211016ff.camel@gmail.com>
Subject: Re: [gentoo-user] net-libs/gnutls-3.7.2 fails to verify some
 certificates (duplicate server certificate?)
From: Branko =?UTF-8?Q?Grubi=C4=87?= <bitlord0xff@gmail.com>
To: gentoo-user@lists.gentoo.org
Date: Fri, 26 Nov 2021 11:37:48 +0100
In-Reply-To: <Y2RJE5VQ.H2UJ77IX.H6WST6KK@7R5XC6AG.AEZMXVPO.A5RMLIR7>
References: <Y2RJE5VQ.H2UJ77IX.H6WST6KK@7R5XC6AG.AEZMXVPO.A5RMLIR7>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.1 
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Archives-Salt: 86b0496f-3cb4-4903-bdff-167f4c00a887
X-Archives-Hash: b3aa7d28af0c234c1ba25521b5dcd951

On Tue, 2021-11-23 at 18:14 -0500, Jack wrote:
> OK, here's something.
> 
> I changed my stable version of ca-certificates from -cacert to
> cacert,  
> and now I get the same failure you do.  So - it's due to either  
> something in nss-cacert-class1-class3-r2.patch which only gets
> applied  
> if that USE flag is set, or to something else only done when that
> USE  
> flag is set.
> 
> I don't understand it, but it's a place to start - and note the note
> in  
> the ebuild:
> 
> # When triaging user reports, refer to our wiki for tips:
> #
> https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
> 

Thanks Jack.

Interesting that it breaks for you as well now. Btw I haven't used
USE="cacert" (could be that I copied it wrong here), it's a additional
Certificate Authority which is not included by default in Mozilla
database as far as I understand. I have tried to change USE="cacert"
and rebuild app-misc/ca-certificates but no change when tested, which
to me is expected, but who knows what could be an issue. 

I'll try to dig deeper into this. Initially I was hoping that someone
more familiar with the topic could jump in and suggest what to do next.

I did look at the wiki, but wiki uses openssl tools for debugging, and
I have no issues with openssl client connecting to this server :/ (so I
don't think it's useful in this case)

Regards,
Branko