Control: tags -1 confirmed On 2022-03-11 Paul Gevers <elb...@debian.org> wrote: > Package: libgnutls30 > Version: 3.7.3-4+b1 > Severity: normal
> Dear maintainers, > Recently ca-certificates 20211016 migrated to testing which included > the following change: > * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) [...] > paul@mulciber ~ $ gnutls-cli ci.debian.net > Processed 127 CA certificate(s). > Resolving 'ci.debian.net:443'... > Connecting to '52.34.117.196:443'... > - Certificate type: X.509 > - Got a certificate list of 4 certificates. > - Certificate[0] info: > - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial > 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using > RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 > UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=" [...] > - Certificate[1] info: > - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial > 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using > RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 > UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=" [...] Hello Paul, thanks for the report. I think the DST Root CA X3 thingy is unrelated, I rather suspect ci.debian.net changed. ci.debian.net seems to be configured less than optimal, its cert-chain contains junk (0=server cert, 1=server cert *again*, etc.). Removing the duplicate server cert from the chain lets at least certtool --verify succeed. I expect gnutls-cli would also succeed if ci.debian.net was "improved". And OTOH adding DSTRootCAX3.crt to the trusted set does not let gnutls-cli succeed: | gnutls-cli --x509cafile=/tmp/DSTRootCAX3.crt ci.debian.net [...] | - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. I am not claiming this is not a gnutls bug since iirc nowadays the respective RFCs allow sending junk certificates in the chain and the client is supposed to handle this. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
