From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-197439-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id DBF8A158086
	for <garchives@archives.gentoo.org>; Sat, 27 Nov 2021 14:14:50 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id CE95E2BC03D;
	Sat, 27 Nov 2021 14:14:43 +0000 (UTC)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 2774A2BC00D
	for <gentoo-user@lists.gentoo.org>; Sat, 27 Nov 2021 14:14:42 +0000 (UTC)
Received: by mail-wr1-x42a.google.com with SMTP id o13so25108196wrs.12
        for <gentoo-user@lists.gentoo.org>; Sat, 27 Nov 2021 06:14:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:subject:from:to:date:in-reply-to:references:user-agent
         :mime-version:content-transfer-encoding;
        bh=h2ADG6fGHa6GQeBFlubCiI+9pMFnbDchXer9HrPzXS0=;
        b=aWYqzR6XRRlrsdOiBfZXbZxS5VUHmpFT5L4SvKVFHHP5tns2WBnz6Tt5g0ob13OCtA
         917zoFsyD2GLZ9yoMR5d5LOJatAhvTYn7w+cqaTbpjyCKyu6e2i4wxaVVHd16w6davNF
         ejJYReGqOJ1KQfbFKkqg7VCmzoO3vbroIVzBLymt/4OShyPFQIVzVpbTSELMX5dtIhbh
         q8mIMWkHoGOTIWrV5nYMSWC93ryHsg5E021uUueWgq9R322cVGXCyf7p9yjwwMQOjTQa
         4ZmB3V4Ppg+Cah9PFpuAxLI0lce8SnHH6O6+1AS+aaFwz6J8UE8HVRlOhA8aqK9yLCUp
         DGHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
         :references:user-agent:mime-version:content-transfer-encoding;
        bh=h2ADG6fGHa6GQeBFlubCiI+9pMFnbDchXer9HrPzXS0=;
        b=OoeCNYGWNEHCdpuPCz5reenPDGk56kkypMzPN5l5soYU9b+w3feht9A7H03QA8likR
         Pfld0gYz8OPaTbFHSfzeFozSpeb0HsQVDg0MActdRSu+cctkxdbjcTCj83Uf63SrStZP
         COF6zhVV4mAi3OODc68YTdcEMJNmqFwUmkvFsj4s/XoZFZVXIKzSjahRgstDbxzGB6yC
         gV3c6VtLY93IsnhWaeAlJcPYX2g/W7O1rfYcIFLqDzrdPzj0lyIfEaqMvA1fK/qV+08C
         ylFj6Roes034B8H+rI71ndMlXAN69hfNqvIsC5+8eYULFju2FovDyIs+iEVanUNpqyvV
         5rhw==
X-Gm-Message-State: AOAM531Kv6weDMqBYSUk7WHe5FUD+SZNO0+GhcmF2FOesF7aChdtGlI4
	TBdy8ewIfjxjCRjjpWvEk3InSZEbi0M=
X-Google-Smtp-Source: ABdhPJxhiiGEEo5DmX6XEt6+ggDIK6Eb9zlJrhL71kvI9J3ZubfSz/1Vm5Sv9p09RmC3Hv3YNKzYgQ==
X-Received: by 2002:adf:dc44:: with SMTP id m4mr21326373wrj.550.1638022481676;
        Sat, 27 Nov 2021 06:14:41 -0800 (PST)
Received: from precision.linux.gnu ([109.245.95.217])
        by smtp.gmail.com with ESMTPSA id v2sm8495261wmc.36.2021.11.27.06.14.40
        for <gentoo-user@lists.gentoo.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 27 Nov 2021 06:14:41 -0800 (PST)
Message-ID: <b2e429735bd3a3aa2c2274c15f916eebbd0ff88d.camel@gmail.com>
Subject: Re: [gentoo-user] net-libs/gnutls-3.7.2 fails to verify some
 certificates (duplicate server certificate?)
From: Branko =?UTF-8?Q?Grubi=C4=87?= <bitlord0xff@gmail.com>
To: gentoo-user@lists.gentoo.org
Date: Sat, 27 Nov 2021 15:14:34 +0100
In-Reply-To: <Y2RJE5VQ.H2UJ77IX.H6WST6KK@7R5XC6AG.AEZMXVPO.A5RMLIR7>
References: <Y2RJE5VQ.H2UJ77IX.H6WST6KK@7R5XC6AG.AEZMXVPO.A5RMLIR7>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.1 
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Archives-Salt: f51cafcd-7d6e-457d-b78e-4de10fca1dd4
X-Archives-Hash: e41419e5bd08f4abaaefb0b8a7bfddc7

On Tue, 2021-11-23 at 18:14 -0500, Jack wrote:
> OK, here's something.
> 
> I changed my stable version of ca-certificates from -cacert to
> cacert,  
> and now I get the same failure you do.  So - it's due to either  
> something in nss-cacert-class1-class3-r2.patch which only gets
> applied  
> if that USE flag is set, or to something else only done when that
> USE  
> flag is set.
> 
> I don't understand it, but it's a place to start - and note the note
> in  
> the ebuild:
> 
> # When triaging user reports, refer to our wiki for tips:
> #
> https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
> 


Another update, I have masked ~arch ca-certificates:
>app-misc/ca-certificates-20210119.3.66

Downgraded to stable one, and now certificate verification is
successful with gnutls-cli on my test example. Weird since it didn't
fail to verify similar chains with newer app-misc/ca-certificates. I
will file a bug report, but still not sure which component app-mist/ca-
certificates or net-libs/gnutls. 

Regards,
Branko