From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 74934158086 for ; Tue, 23 Nov 2021 19:43:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 66F81E08AD; Tue, 23 Nov 2021 19:43:35 +0000 (UTC) Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C06C3E0844 for ; Tue, 23 Nov 2021 19:43:34 +0000 (UTC) Received: by mail-ed1-x529.google.com with SMTP id r11so96807477edd.9 for ; Tue, 23 Nov 2021 11:43:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:subject:from:to:date:user-agent:mime-version :content-transfer-encoding; bh=BKPXzj4fsC7784YpAEk0Y4hVSwaxmWg1L6v550ib8Kc=; b=AwEaEaoZCNZNPLuev7AbvIhti7/hPvTYkTHKlQK8EvXRY65Z3oMyHVdXCwAE1+sio+ L98fBbmjUNmD0ui92UJjBjFOWjh2N0cRWp2Hua7WSrkcbb6AmLDNr94mrsjVhb+v7k// hJ0RkSSSStsVs0BgIcQu/fW7OvZgx2xkOJ5b+6g0Bwa7OZRfXmzVu6Re1zn2DL+TekQA FSAQ1NX6BEjAzJppFl87F8GpZy+Bl1votV92c/lCGDeXCdx2Y1ltgruo/LJoNWKr3E+5 xU0w/7DrcuCiof4SjKuUc7fYV3+PAFdX+BMAIxNwkbEr/KCnUSduPEE9AGK+77eXiazB /dPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:date:user-agent :mime-version:content-transfer-encoding; bh=BKPXzj4fsC7784YpAEk0Y4hVSwaxmWg1L6v550ib8Kc=; b=XRNJtNM6DmLnv2Wz3gTX/p9thUGlWpQg4Z14fwW52fuEpbrQw1funrPv7BLTwKV6/o AgcmqZ9qfcMEhhzbDGDX6kdXXvADk+Zess0KE4ygxEYliY/UVF5AfgES/zVZqMsRxPY0 mIn+40kqEa6KYxrnBjF582QhHuld9nHINyBywJ7h3BKF0wQwyDRXECM2k43JepaGyLZw GOVp+y/HxwnJjwnKkieecpm/jh4Blh00p3r8K1HpXzQjTT1tQEil7L5vNQMrwq6KUXS0 6KdTOy2qV8HBRflzJyMRDdrlj8i3fzV+GDeEk6757sR0YWM6LHf0ekux/W3mAdp8yG5F t5cQ== X-Gm-Message-State: AOAM532r+cWw7uTiIMNjFiaqrN6AqT8UzDzi18bpvuvPs4batqW9sazw n2BGGC4hXP8UttJiXJeLCzids4ZKwb0= X-Google-Smtp-Source: ABdhPJwCBhrZhuzMBr0S9dgUiQ+2O3MkaYuU7YhZhi60Qv/F3yi3PRXeSiKUdvDZKw24ULwL6Jeg2Q== X-Received: by 2002:a17:906:58c8:: with SMTP id e8mr11193752ejs.212.1637696613206; Tue, 23 Nov 2021 11:43:33 -0800 (PST) Received: from precision.linux.gnu ([109.245.95.217]) by smtp.gmail.com with ESMTPSA id w7sm6180491ede.66.2021.11.23.11.43.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 11:43:32 -0800 (PST) Message-ID: <9f52a53390b093486855d3f28ae8969d0be6a13c.camel@gmail.com> Subject: [gentoo-user] net-libs/gnutls-3.7.2 fails to verify some certificates (duplicate server certificate?) From: Branko =?UTF-8?Q?Grubi=C4=87?= To: gentoo-user@lists.gentoo.org Date: Tue, 23 Nov 2021 20:43:27 +0100 Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Archives-Salt: ae1eabd8-8ffd-4e3d-a993-67cf5d35b55c X-Archives-Hash: 0ae7281c5ebd9c06901c43f3aa4f19cb Hi, I have few applications which use webkit-gtk and gnutls behind as far as I know, recently I noticed that RSS feeds for some distrowatch.com subscriptions I had started to fail, initially I did ignore them I thought something is wrong on the server side and it was not critical. But since it wasn't fixed I started to investigate a little bit more. So, in the end it seems to be related to gnutls on Gentoo (I'm running ~amd64) net-libs/gnutls-3.7.2 abi_x86_64 cxx idn nls openssl seccomp tls- heartbeat tools Important note, websites using Let's Encrypt certificates work fine, except this one (only example known to me). Based on the output of `gnutls-cli` it seems that server certificate is served twice compared to other working ones (I could be wrong). Example output: $ gnutls-cli distrowatch.com:443 Processed 130 CA certificate(s). Resolving 'distrowatch.com:443'... Connecting to '82.103.129.71:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires `2021-12-14 03:49:14 UTC', pin- sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=" Public Key ID: sha1:fcd2b25ac6ffd73fce3ef65211defd25331dc151 sha256:4285b5b620c613c4b714bba4c3ceb244bf087debd138fc6 7c74ab056ebbfad42 Public Key PIN: pin- sha256:QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI= - Certificate[1] info: - subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires `2021-12-14 03:49:14 UTC', pin- sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=" - Certificate[2] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin- sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Certificate[3] info: - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin- sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. Firefox and Chrome open website just fine, no complains. Also openssl client doesn't complain if I read the output right. I have tested this on Fedora 35 as well using gnutls-cli, it comes with same gnutls release, and has no issues connecting to problematic host. So I suspect it's something to do with my system, Gentoo ebuild, or combination of libraries used for gnutls on my Gentoo system. I have found an interesting (similar) bug[1] which was fixed in the current release (fix is included in 3.7.2 based on the NEWS/Release notes) where gnutls would fail if Root CA certificate is present twice in the chain. Can anyone confirm it happening on their system as well, I was not sure should I open a Gentoo bug. Regards, Branko [1] https://gitlab.com/gnutls/gnutls/-/issues/1131