Control: tags 885127 + moreinfo unreproducible On Fri 2017-12-29 14:38:14 +0200, RĂ©mi Denis-Courmont wrote: > The version of GnuTLS in Debian incorrectly flags self-signed certificates as > insecure certificate chain algorithm. This makes no sense; the flag is for > certificate chains using insecure algorithms such as MD2, MD5 and SHA-1.
sorry, i'm having a hard time seeing this. In the example you give below: > This is reproducible also with gnutls-bin (both with Debian and upstream > GnuTLS): > > # gnutls-cli self-signed.badssl.com > Processed 148 CA certificate(s). > Resolving 'self-signed.badssl.com:443'... > Connecting to '104.154.89.105:443'... > - Certificate type: X.509 > - Got a certificate list of 1 certificates. > - Certificate[0] info: > - subject `CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US', > issuer `CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US', serial > 0x0086fb4dc8e5dd0f18, RSA key 2048 bits, signed using RSA-SHA256, activated > `2016-08-08 21:17:05 UTC', expires `2018-08-08 21:17:05 UTC', pin- > sha256="9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8=" > Public Key ID: > sha1:7965dfc93c6ae6fe8381ec482216ec44ef47282a > > sha256:f522e496c72fccc623f1ffb9da5a79cdefe16340851f22d23d0cd2a58608066f > Public Key PIN: > pin-sha256:9SLklscvzMYj8f+52lp5ze/hY0CFHyLSPQzSpYYIBm8= > Public key's random art: > +--[ RSA 2048]----+ > | | > | . | > | o . . o | > | = o o o .o..| > | + + S o . .=.| > | E . + o + o .. .| > | . . . + o +o | > | . .+. . | > | .o...| > +-----------------+ > > - Status: The certificate is NOT trusted. The certificate issuer is unknown. > The certificate chain uses insecure algorithm. > *** PKI verification of server certificate failed... > *** Fatal error: Error in the certificate. > *** handshake has failed: Error in the certificate. the error says "The certificate issuer is unknown", which is surely the *correct* response for a self-signed certificate when you haven't added that certificate to your list of X.509 root authorities. In the forwarded bug report (https://gitlab.com/gnutls/gnutls/issues/347), Andreas says: >>> a) gnutls-cli self-signed.badssl.com >>> b) Generate a test-cert with "certtool --generate-self-signed " with >>> default algoritms and use gnutls-serv/gnutls-cli (though presumably not in that order) well, i tried that, and things still worked for me. in particular, to generate the self-signed certificate, i did: certtool --generate-privkey --outfile key.pem certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem when answering the questions in the second invocation, i just hit enter on everything except: Common name: bad.example The certificate will expire in (days): 30 Is this a TLS web server certificate? (y/N): y Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): n Once that was done, i pointed bad.example to 127.0.0.1 in /etc/hosts, launched the server with: gnutls-serv --x509keyfile key.pem --x509certfile cert.pem and then connected with the client like so: gnutls-cli --x509cafile cert.pem bad.example:5556 everything worked successfully. Can you give a clearer example of the problem you're seeing? I don't see anything broken in my tests. --dkg
signature.asc
Description: PGP signature
