On 2009-02-02 Simon Josefsson <si...@josefsson.org> wrote: > Joachim Breitner <nome...@debian.org> writes: >> Am Montag, den 02.02.2009, 15:40 +0100 schrieb Simon Josefsson: >>>> Package: libgnutls26 >>>> Version: 2.4.2-5 >>>> Severity: important
>>>> Hi Andreas, >>>> with your recent upload of gnults, this signature of a host with a >>>> recently generated cacert signature is no longer valid: >>>> $ gnutls-cli -VV fry.serverama.de -p 443 --x509cafile >>>> /etc/ssl/certs/ca-certificates.crt >>> ... >>>> - Peer's certificate is NOT trusted >>> CACert's intermediate certificate is signed using RSA-MD5, so it won't >>> pass GnuTLS chain verification logic. [...] >>> We should probably consider to back-port Donald's logic to short-circuit >>> chain verification as soon as you have a trusted cert: then you could >>> chose to trust CACerts intermediate cert, and then there is no need to >>> rely on RSA-MD5 to trust this chain. I'll test if the patch would help >>> in your situation. Hello, I have just uploaded 2.4.2-6 (which is basically 2.4.3 without all the changes from autogenerated files for easier review.) to unstable. This should fix (workaround) your problem, since it makes t possible to trust the intermediate cert. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
