Hi Emmanuel, On Fri, Aug 25, 2017 at 4:31 PM, Emmanuel Fleury <emmanuel.fle...@u-bordeaux.fr> wrote: > I am using sitecopy for very long to push my modification on my website > through WebDAV/SSL and everything was well until a few months ago. > > Then, sitecopy started to refuse to write on the remote server issuing > the following error statement: > > Certificate verification error: signed using insecure algorithm > > After a few research in the code of sitecopy, I manage to focus a bit > more on the origin of the problem. Here is an excerpt of an ltrace from > an erroneous run on sitecopy: [...] > The error start to appear around the call to ne_ssl_set_verify(). The actual place is in src/ne_gnutls.c line 938, check_certificate() function. It calls gnutls_certificate_verify_peers2() on line 961 and the value of 'status' is GNUTLS_CERT_INSECURE_ALGORITHM.
> In fact, I looked at other tools to update my website and got similar > problem when trying to access the WebDAVs file-system. For example, the > tool fuserdav was issuing the exact same error: As expected as the certificate is the same and it's using an insecure algorithm for its signature. > Yet, the certificate of the web server seems to be okay when checked > with gnutls-cli: The certificate is valid and fine, this is also expected. > $ gnutls-cli --ca-verification --verbose www.labri.fr [...] Please note that here you are checking www instead of webdav and as I see, these have different certifications. > My belief is that if gnutls seems to consider this certificate as > 'valid' and if sitecopy of fuserdav are both failing when asking to > libneon, then the bug must be in libneon... i.e. somewhere in between... The certificates seem to be valid, but one of the signatures considered insecure - however I don't know which and why. > So, did I miss something or is there really a serious bug here ? > (it may be possible that the certificate is flawed...but I wonder why > only libneon is seeing it as "wrong" then. Please don't mix the two things: certificate is valid, but uses an insecure algorithm for its signature. > Feel free to ask me more details if needed! I think you should ask someone who is better with GnuTLS. I can't see the reason. :( Maybe it's related to the connection ifself? Please see the detailed log for a working site: $ gnutls-cli-debug www.google.com It has TLS 1.0, 1.1 and 1.2 support. For your site: $ gnutls-cli-debug webdav.labri.fr Fails in the end with: Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2 It seems your site has a problem. Thus I plan to close this bug in some days as it's clear that it's not a Neon bug. The error comes from GnuTLS and it seems to be right. Maybe your site uses SSLv2 which was disabled as it's flawed in a variety of ways. Hope this helps, Laszlo/GCS
