Package: gnutls-bin Version: 3.4.8-2 Severity: normal Tags: upstream patch I found that certtool writes broken Key Usage extensions to generated certificates. For example, when using the follwing template (from the mod_gnutls test suite) to create a CA, neither of the requested flags (certificate signing and CRL signing) is set.
cn="Testing Authority" ca cert_signing_key crl_signing_key The key usage extension ends up present but empty. This leads to all certificates issued by the CA getting rejected because signing certificates violates the certificate's constraints. I've reported the bug upstream [1] and there is a simple patch [2]. Please apply it to the version in Sid. [1] http://lists.gnutls.org/pipermail/gnutls-devel/2016-January/007861.html [2] https://gitlab.com/gnutls/gnutls/commit/7d3caedb8df9d04eee9513cb5b3b417ae29927f5 -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.3.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gnutls-bin depends on: ii libc6 2.21-7 ii libgmp10 2:6.1.0+dfsg-2 ii libgnutls30 3.4.8-2 ii libhogweed4 3.1.1-4 ii libidn11 1.32-3 ii libnettle6 3.1.1-4 ii libopts25 1:5.18.7-3 ii libp11-kit0 0.23.2-3 ii libtasn1-6 4.7-3 ii zlib1g 1:1.2.8.dfsg-2+b1 gnutls-bin recommends no packages. gnutls-bin suggests no packages. -- no debconf information
