On Fri, Jan 01, 2010 at 01:28:47PM +0000, Sam Morris wrote: > Package: libnss3-1d > Version: 3.12.5-1 > Severity: grave > Justification: renders package unusable > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Since upgrading libnss3-1d to 3.12.5, I have been unable to connect to my > company's email server. Evolution gives me this dialog: > > SSL Certificate check for imap.example.com: > > Issuer: serialNumber=88888888,CN=Go Daddy Secure Certification > Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > Subject: CN=*.example.com,OU=Domain Control > Validated,O=*.example.com > Fingerprint: ec:cf:43:7f:87:84:f0:63:ec:b4:5d:60:e5:7e:6b:23 > Signature: BAD > > No problem with iceweasel, thunderbird, etc. but they don't appear to use the > split-out package of NSS. > > I reported the same bug against gnutls, #563127. The maintainer found that > gnutls refused to accept the certificate because it was issues by a "V1 CA". > Sadly I'm no X.509 expert so I don't know what that really means. The > certificate in question was issued in April 2009, so it's not exactly ancient. > > Please tell me if you'd like the server address to debug this further > yourself, > or whether there are any command line utilities for NSS that I can use as the > equivalent of gnutls-bin/'openssl s_client' to debug further.
There is one, but you would need to build libnss3 yourself (and get the binary in mozilla/security/nss/cmd/vfyserv). If you'd prefer me to further investigate, please report the server address. > Because this coincides with the upgrade from 3.12.4 to 3.12.5 I am assuming > that NSS made a similar policy change to GnuTLS, to stop trusting V1 CAs. If > this is the kind of thing that a user of NSS can override, please let me know > and I'll forward that information to the (evolution) upstream bug at > <https://bugzilla.gnome.org/show_bug.cgi?id=605773>. There is no such change that I can see related to trusting V1 CA certificates. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
