Control: retitle -1 libgnutls30: fails to validate when there is junk in the cert chain, including duplicated server certs
On Sun, 17 Jul 2022 09:40:09 +0800 Paul Wise wrote: > I have seen this issue (duplicate server cert) on several other > sites. Seems this issue is broader than just duplicate server certs, I just found a site that has a Thawte CA cert as its first cert in the cert chain instead of the LE/ISRG CA certs. This site works just fine with OpenSSL and NSS but not with GnuTLS. $ gnutls-cli neo900.org < /dev/null Processed 127 CA certificate(s). Resolving 'neo900.org:443'... Connecting to '207.154.223.212:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=neo900.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x047b33482e681f3a1ac7d3c5ccfd88ec782a, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-06-28 06:54:18 UTC', expires `2022-09-26 06:54:17 UTC', pin-sha256="PwlhvXvPqmAlJKlxSnEAkmSmjkg4sAhebliU+AznV1k=" Public Key ID: sha1:6613298f366b86c7f160c573fa2cd2a9207fe0bd sha256:3f0961bd7bcfaa602524a9714a71009264a68e4838b0085e6e5894f80ce75759 Public Key PIN: pin-sha256:PwlhvXvPqmAlJKlxSnEAkmSmjkg4sAhebliU+AznV1k= - Certificate[1] info: - subject `CN=Thawte TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x090ee8c5de5bfa62d2ae2ff7097c4857, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-11-02 12:24:25 UTC', expires `2027-11-02 12:24:25 UTC', pin-sha256="42b9RNOnyb3tlC0KYtNPA3KKpJluskyU6aG+CipUmaM=" - Certificate[2] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Certificate[3] info: - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
