Your message dated Mon, 01 Jun 2020 09:18:51 +0000 with message-id <e1jfgap-000het...@fasolo.debian.org> and subject line Bug#961889: fixed in gnutls28 3.6.13-4 has caused the Debian Bug report #961889, regarding src:gnutls28: Fails building chains with expired intermediate regardless of trust store to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 961889: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961889 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: src:gnutls28 Version: 3.6.7-4+deb10u3 Severity: grave Justification: renders package unusable Hi, gnutls appears to fail building a certificate chain, if: - the server sends an alternate chain with an expired intermediate - a matching root is in the local trust store. This was found because the "AddTrust External CA Root" [1] expired today, and it was used - a long time ago - to cross-sign the "USERTrust RSA Certification Authority" Root CA. When a server sends the cross-signed certificate, gnutls thinks the entire chain is invalid, even though the not-expired root is contained in its trust store. Example: $ gnutls-cli apt.puppet.com:443 Processed 129 CA certificate(s). Resolving 'apt.puppet.com:443'... Connecting to '2600:9000:2043:2200:1d:fc37:1cc0:93a1:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=apt.puppet.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated', issuer `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial 0x00d50b93f3f071150e62d87aee147a1520, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-18 00:00:00 UTC', expires `2020-07-18 23:59:59 UTC', pin-sha256="oBlhqVlMzd0j01OweaExY7LRykSLER7Cyml3qM9Rp4M=" Public Key ID: sha1:c94ab18efcc44ba3c51d39f831a734ad4e78e60b sha256:a01961a9594ccddd23d353b079a13163b2d1ca448b111ec2ca6977a8cf51a783 Public Key PIN: pin-sha256:oBlhqVlMzd0j01OweaExY7LRykSLER7Cyml3qM9Rp4M= - Certificate[1] info: - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 23:59:59 UTC', pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=" - Certificate[2] info: - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. Note that modern browsers, and OpenSSL 1.1.1 has no problem with this server. Obviously, this also breaks APT. I'm marking this grave, as GnuTLS doesn't seem to follow standards here, various other software just works, GnuTLS-using clients all break, and many many sites on the public Internet send the cross-signed certificate. Thanks, Chris [1] https://crt.sh/?id=1 -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: gnutls28 Source-Version: 3.6.13-4 Done: Andreas Metzler <ametz...@debian.org> We believe that the bug you reported is fixed in the latest version of gnutls28, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 961...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <ametz...@debian.org> (supplier of updated gnutls28 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 01 Jun 2020 10:34:25 +0200 Source: gnutls28 Architecture: source Version: 3.6.13-4 Distribution: unstable Urgency: medium Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-ma...@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametz...@debian.org> Closes: 961889 Changes: gnutls28 (3.6.13-4) unstable; urgency=medium . * Output some network related debugging from debian/rules. * Fix verification error with alternate chains. Closes: #961889 Checksums-Sha1: ae3303cec3065a3057cd4b8e902908abf94a758f 3479 gnutls28_3.6.13-4.dsc e2faf23583c3ac9a5eb0aa83dacdeb6a5109951b 68068 gnutls28_3.6.13-4.debian.tar.xz Checksums-Sha256: 0a9f4becd4b88477d3cfa2593fb60b5e8e52c7739c74c817f9c508107b9cd295 3479 gnutls28_3.6.13-4.dsc 490ccbce3730cc976e19008329198ea0e6205d77ca297496744071352c063448 68068 gnutls28_3.6.13-4.debian.tar.xz Files: a2adbdd0fe35c40b933feb81b43c841b 3479 libs optional gnutls28_3.6.13-4.dsc 1f990100dd348223e43941253e8ebead 68068 libs optional gnutls28_3.6.13-4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAl7Uw5kACgkQpU8BhUOC FIQTZxAAm2KnegX6VwsE2oBpAtQtS+RwYIM41y2lcxUkAVklC/q7J2q5cYkv28l8 YT8LIEzuXLgobFWKbhXxbX7/AtU9BrQ4kCIMhP78baJ2xGhPzKkg2cZCYyIccK/z PsCm0OoBj0beteEXR24LAFLxYN0AdxCBvPU+gL58G+ZnNxogdQqu/bcLHm4UENdJ b4xheJ8hVig2ZTukglXJfB7ufAXWWcKUAss3be8La/TILtotyguvq4gavFQFJwVP So+zLh7SZEo8+c95Wogt3BsQANEVrwX6IkipUKVicBAY9vwElT2zW0V0wjYn34sS xjjJFu6paEz7XpSmXJUe7DX7ZAS4BYQ/jVu/+h2OlT7Cm9krkAHV+5FKGz4TM0sd nXcf8hof2GG7hN7+4g85WdtNPESJP5WIvokEjQ6ZmR364g1/3cwaX7fTVjmEdir/ o1sd9AgCdTxfa0AhWpTXSSaOVnILNoeENS/lW5CDCHkhjbK3qWmikpSmq1NzoF0R 8r9VwKTodEUN/H3zFZ2Cb0/i7i5SldnGEcX+LuJ8UUFjTuB3MAFsN1kFC8VdEy/I 6/4hZ+73UzK7hJKTkAhGqEPXnD8Q+X8oAVBJI6pwaFJ4jY02KAT0ndmWZp1jfS/D C55STJPm7FwLZlUpajTAhwmv4nwIPLwAxYYclutL1X0cRANC+wc= =r7oU -----END PGP SIGNATURE-----
--- End Message ---
