On 2009-02-19 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > I've done a bit of research on this bug (dealing with V1 CA certificates > for gnutls in etch and/or lenny), and i do think that it is potentially > quite serious.
> For example, the certificate used by https://mail.google.com/ appears to > be rooted in a v1 CA certificate: [...] Shouldn't gnutls-cli mark the certificate as unverified in that case? ---------------------- ametz...@argenau:/etc/ssl/certs$ gnutls-cli --x509cafile /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem -p https mail.google.com Processed 1 CA certificate(s). Resolving 'mail.google.com'... Connecting to '66.249.91.83:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: # The hostname in the certificate matches 'mail.google.com'. # valid since: Fri May 2 18:32:54 CEST 2008 # expires at: Sat May 2 18:32:54 CEST 2009 # fingerprint: C3:36:8D:8C:7F:27:45:78:E5:A5:08:40:D3:EF:16:67 # Subject's DN: C=US,ST=California,L=Mountain View,O=Google Inc,CN=mail.google.com # Issuer's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA - Certificate[1] info: # valid since: Thu May 13 02:00:00 CEST 2004 # expires at: Tue May 13 01:59:59 CEST 2014 # fingerprint: 84:84:03:56:10:85:53:ED:9A:CA:60:B5:FA:99:D3:31 # Subject's DN: C=ZA,O=Thawte Consulting (Pty) Ltd.,CN=Thawte SGC CA # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: ARCFOUR-128 - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: ---------------------- ametz...@argenau:/etc/ssl/certs$ certtool -i < /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority.pem X.509 Certificate Information: Version: 1 Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority Validity: Not Before: Mon Jan 29 00:00:00 UTC 1996 Not After: Tue Aug 01 23:59:59 UTC 2028 [...] Signature Algorithm: RSA-MD2 warning: signed using a broken signature algorithm that can be forged. [...] ---------------------- cu and- mystified -reas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
