Package: libgnutls26 Version: 2.4.2-5 Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Andreas, with your recent upload of gnults, this signature of a host with a recently generated cacert signature is no longer valid: $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt Processed 142 CA certificate(s). Resolving 'fry.serverama.de'... Connecting to '78.47.178.157:443'... - - Ephemeral Diffie-Hellman parameters - Using prime: 1032 bits - Secret key: 1016 bits - Peer's public key: 1032 bits - - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches 'fry.serverama.de'. # valid since: Fri Jan 16 23:29:47 CET 2009 # expires at: Sun Jan 16 23:29:47 CET 2011 # serial number: 6E:68 # fingerprint: EE:DD:CA:43:34:55:09:86:A7:AD:9F:97:6A:64:F2:34 # version: #3 # public key algorithm: RSA (1024 bits) # e [24 bits]: 01:00:01 # m [1024 bits]: C8:77:59:24:7C:0F:1C:3F:CC:30:19:A4:73:23:03:54:E8:D0:72:48:6A:8C:91:F5:3A:B3:41:F2:E0:9F:B6:2B:B1:01:6B:44:C7:9F:54:C5:98:1E:21:05:01:52:53:45:C3:B9:1A:E5:2D:93:0D:C8:C4:02:CB:97:23:4C:97:BC:49:6D:91:12:CD:12:B0:DD:3C:F7:36:D3:37:0E:8A:41:F0:BE:EB:23:C0:0D:CB:B1:E1:E8:FE:50:44:C5:89:F4:E2:72:88:B8:52:A4:08:B4:4E:E2:5E:1A:BF:A4:2A:8B:C7:46:3E:B8:57:6F:CD:B6:83:E0:0E:CC:AD:1C:CB:7D # Subject's DN: CN=fry.serverama.de # Issuer's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root - Certificate[1] info: # valid since: Fri Oct 14 09:36:55 CEST 2005 # expires at: Mon Mar 28 09:36:55 CEST 2033 # serial number: 01 # fingerprint: 73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6 # version: #3 # public key algorithm: RSA (4096 bits) # e [24 bits]: 01:00:01 # m [4096 bits]: Unknown # Subject's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root # Issuer's DN: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,email=supp...@cacert.org - - Peer's certificate is NOT trusted - - Version: TLS1.0 - - Key Exchange: DHE-RSA - - Cipher: AES-128-CBC - - MAC: SHA1 - - Compression: NULL - - Session ID: 80:65:73:F1:41:61:D9:13:28:2B:F4:0B:5D:EE:96:87:6A:38:35:4C:75:D4:24:CC:DF:81:23:DE:67:22:02:2B *** Verifying server certificate failed... $ # It used to work though: $ sudo dpkg -i /tmp/libgnutls26_2.4.2-4_amd64.deb dpkg - Warnung: deaktualisiere libgnutls26 von 2.4.2-5 zu 2.4.2-4. (Lese Datenbank ... 175611 Dateien und Verzeichnisse sind derzeit installiert.) Vorbereiten zum Ersetzen von libgnutls26 2.4.2-5 (durch .../libgnutls26_2.4.2-4_amd64.deb) ... Entpacke Ersatz für libgnutls26 ... Richte libgnutls26 ein (2.4.2-4) ... $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile /etc/ssl/certs/ca-certificates.crt Processed 142 CA certificate(s). Resolving 'fry.serverama.de'... Connecting to '78.47.178.157:443'... - - Ephemeral Diffie-Hellman parameters - Using prime: 1032 bits - Secret key: 1016 bits - Peer's public key: 1024 bits - - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches 'fry.serverama.de'. # valid since: Fri Jan 16 23:29:47 CET 2009 # expires at: Sun Jan 16 23:29:47 CET 2011 # serial number: 6E:68 # fingerprint: EE:DD:CA:43:34:55:09:86:A7:AD:9F:97:6A:64:F2:34 # version: #3 # public key algorithm: RSA (1024 bits) # e [24 bits]: 01:00:01 # m [1024 bits]: C8:77:59:24:7C:0F:1C:3F:CC:30:19:A4:73:23:03:54:E8:D0:72:48:6A:8C:91:F5:3A:B3:41:F2:E0:9F:B6:2B:B1:01:6B:44:C7:9F:54:C5:98:1E:21:05:01:52:53:45:C3:B9:1A:E5:2D:93:0D:C8:C4:02:CB:97:23:4C:97:BC:49:6D:91:12:CD:12:B0:DD:3C:F7:36:D3:37:0E:8A:41:F0:BE:EB:23:C0:0D:CB:B1:E1:E8:FE:50:44:C5:89:F4:E2:72:88:B8:52:A4:08:B4:4E:E2:5E:1A:BF:A4:2A:8B:C7:46:3E:B8:57:6F:CD:B6:83:E0:0E:CC:AD:1C:CB:7D # Subject's DN: CN=fry.serverama.de # Issuer's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root - Certificate[1] info: # valid since: Fri Oct 14 09:36:55 CEST 2005 # expires at: Mon Mar 28 09:36:55 CEST 2033 # serial number: 01 # fingerprint: 73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6 # version: #3 # public key algorithm: RSA (4096 bits) # e [24 bits]: 01:00:01 # m [4096 bits]: Unknown # Subject's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root # Issuer's DN: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,email=supp...@cacert.org - - Peer's certificate is trusted - - Version: TLS1.0 - - Key Exchange: DHE-RSA - - Cipher: AES-128-CBC - - MAC: SHA1 - - Compression: NULL - - Session ID: 6F:C0:1E:89:68:FE:D3:84:3A:FE:6E:4E:75:E0:47:FA:D8:25:31:CF:DF:51:9A:43:74:55:34:3F:97:6E:C9:44 - - Handshake was completed - - Simple Client Mode: ^C OpenSSL has no issue with this host: $ openssl s_client -connect fry.serverama.de:443 -CAfile /etc/ssl/certs/ca-certificates.crt CONNECTED(00000003) depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org verify return:1 depth=1 /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root verify return:1 depth=0 /CN=fry.serverama.de verify return:1 - --- Certificate chain 0 s:/CN=fry.serverama.de i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailaddress=supp...@cacert.org - --- Server certificate - -----BEGIN CERTIFICATE----- MIIE3zCCAsegAwIBAgICbmgwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0Fj ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UE AxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0wOTAxMTYyMjI5NDdaFw0xMTAxMTYy MjI5NDdaMBsxGTAXBgNVBAMTEGZyeS5zZXJ2ZXJhbWEuZGUwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAMh3WSR8Dxw/zDAZpHMjA1To0HJIaoyR9TqzQfLgn7Yr sQFrRMefVMWYHiEFAVJTRcO5GuUtkw3IxALLlyNMl7xJbZESzRKw3Tz3NtM3DopB 8L7rI8ANy7Hh6P5QRMWJ9OJyiLhSpAi0TuJeGr+kKovHRj64V2/NtoPgDsytHMt9 AgMBAAGjggF2MIIBcjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMC BggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAz BggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5v cmcvMIHpBgNVHREEgeEwgd6CEGZyeS5zZXJ2ZXJhbWEuZGWgHgYIKwYBBQUHCAWg EgwQZnJ5LnNlcnZlcmFtYS5kZYIQZnJ5LnNlcnZlcmFtYS5kZaAeBggrBgEFBQcI BaASDBBmcnkuc2VydmVyYW1hLmRlghIqLmZyeS5zZXJ2ZXJhbWEuZGWgIAYIKwYB BQUHCAWgFAwSKi5mcnkuc2VydmVyYW1hLmRlggd6cHViLmRloBUGCCsGAQUFBwgF oAkMB3pwdWIuZGWCCSouenB1Yi5kZaAXBggrBgEFBQcIBaALDAkqLnpwdWIuZGUw DQYJKoZIhvcNAQEFBQADggIBAEWSsOlLbjdRjijMmOnDc2RcLQ5PQC9pjUW+bzGR KTJbf8Hf/wSdmHAam+UsIM6HzdQVi058dGyb8/NJQJD+9Dgv1m57x1prLerkt6xq UQCYmOpMxCJOykLqzEUnou9WtL5FaD+wBlOuqWFy0Cy2O3LHXkSkaMR+gdxC4pkI wSkI2SDdC0juvnoVI7iBaaIhYI/1FwV56hc6lxsAslf0NbtiiwhneVbHm5XRK1d4 tabVKwOHnEuDyAnZd1yM1EqXKz+NwBlhoKWhC0fVUByID5A2WGEejBJcW/lVrYft 4+sJpnwS+/VDS5yrDXMqMdYGE8TVMy7RsaoUdaeFQYv4Go48BBGDJB5uEkBJiSq8 ViZA4iEKujBa5zKJ+CZXy3D/eHLBKUL+ayc9dLeeFTPZU0jYb83kE1wtlnWwF4J1 8lUQI10nLFg+ALoZoAmFZej19XgbyG6im+ZRFuwrpV6F3HJRP+AMNInsLoQTuD9I l2gftVaIU1MqUmVMBcUeeNXG1BZ9vRonKzAC4Otfk1B6aW4Lz0E+sZ+HfCMicD3j N01KAeNZ64j8emgnLffurb7qUWbanTpMEzxrelBRufxJkXcn6BcFcxPBVgFnsMgF tP7e7N/cm55pI8Et+Gjp+ORJetSio118yu9bf7etSAJWOS6tQ2Ac7JeKP+a8jsvq Uyx7 - -----END CERTIFICATE----- subject=/CN=fry.serverama.de issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root - --- No client certificate CA names sent - --- SSL handshake has read 3366 bytes and written 316 bytes - --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 52B646BBE0264083CDDE1C54C6C1C86DEF52414F56AB99D4AFB14929FD410203 Session-ID-ctx: Master-Key: F9D184A880B1E6276C37E67887F896C706D210D61314AA9FEFB55DFD053C2FA1AA0DA072E4FAE671941526AC3583F66F Key-Arg : None Start Time: 1233581524 Timeout : 300 (sec) Verify return code: 0 (ok) - --- Do you have an idea what’s wrong? Greetings, Joachim - -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.27-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libgnutls26 depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libgcrypt11 1.4.1-2 LGPL Crypto library - runtime libr ii libgpg-error0 1.4-2 library for common error values an ii libtasn1-3 1.5-1 Manage ASN.1 structures (runtime) ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime libgnutls26 recommends no packages. Versions of packages libgnutls26 suggests: ii gnutls-bin 2.4.2-5 the GNU TLS library - commandline - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmG9fEACgkQ9ijrk0dDIGw7ZwCgwmPzK7BJ0rsz8AFrsTktVLcc zDoAn3hE4e+FqRbOXKn3WbcZ9SCbdcb8 =ZyZk -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
