Bug#976836: marked as done (libgnutls30: 3.7.0-3 fails to connect HTTPS servers which send the intermediate certificate twice)

[Debian Bug Tracking System]

Your message dated Tue, 5 Jan 2021 19:16:57 +0100
with message-id <X/stgfo8gtp0k...@argenau.bebt.de>
and subject line Re: Bug#976836: libgnutls30: 3.7.0-3 fails to connect on 
debian.ethz.ch
has caused the Debian Bug report #976836,
regarding libgnutls30: 3.7.0-3 fails to connect HTTPS servers which send the 
intermediate certificate twice
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
976836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976836
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libgnutls30
Version: 3.7.0-3
Severity: critical
Justification: breaks unrelated software

Dear Maintainer,

I updated gnutls to 3.7.0-3 this morning, then apt was unable to connect to
the Debian mirror https://debian.ethz.ch/debian/:

$ sudo apt update
Ign:1 https://debian.ethz.ch/debian sid InRelease
Err:2 https://debian.ethz.ch/debian sid Release
  Certificate verification failed: The certificate is NOT trusted. The 
certificate issuer is unknown.  Could not handshake: Error in the certificate 
verification. [IP: 129.132.53.171 443]
Reading package lists... Done
E: The repository 'https://debian.ethz.ch/debian sid Release' no longer has a 
Release file.
N: Updating from such a repository can't be done securely, and is therefore 
disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration 
details.

Using the gnutls client directly gives:

$ gnutls-cli debian.ethz.ch -p 443
Processed 126 CA certificate(s).
Resolving 'debian.ethz.ch:443'...
Connecting to '129.132.53.171:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=plattenberg.ethz.ch', issuer `CN=Let's Encrypt Authority 
X3,O=Let's Encrypt,C=US', serial 0x03303e4ec324a9667915ae5fb3383255b202, RSA 
key 4096 bits, signed using RSA-SHA256, activated `2020-11-17 13:03:43 UTC', 
expires `2021-02-15 13:03:43 UTC', 
pin-sha256="7qwNrAIqODvrEwByZ0mAMpm2PROcvYK/BNpYTBzSzfA="
Public Key ID:
sha1:3c05692d0390a10e4e7cc1a4881c82288b0f6d83
sha256:eeac0dac022a383beb1300726749803299b63d139cbd82bf04da584c1cd2cdf0
Public Key PIN:
pin-sha256:7qwNrAIqODvrEwByZ0mAMpm2PROcvYK/BNpYTBzSzfA=

- Certificate[1] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST 
Root CA X3,O=Digital Signature Trust Co.', serial 
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, 
activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', 
pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Certificate[2] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST 
Root CA X3,O=Digital Signature Trust Co.', serial 
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, 
activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', 
pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

Reverting to libgnutls30 3.6.15-4 seems to fix the problem.

Best,

 Jonathan


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.9.0-4-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libgnutls30 depends on:
ii  libc6          2.31-5
ii  libgmp10       2:6.2.1+dfsg-1
ii  libhogweed6    3.6-2
ii  libidn2-0      2.3.0-4
ii  libnettle8     3.6-2
ii  libp11-kit0    0.23.21-2
ii  libtasn1-6     4.16.0-2
ii  libunistring2  0.9.10-4

libgnutls30 recommends no packages.

Versions of packages libgnutls30 suggests:
ii  gnutls-bin  3.6.15-4

-- no debconf information

--- End Message ---

--- Begin Message ---

Version: 3.7.0-4

On 2021-01-02 Andreas Metzler <ametz...@bebt.de> wrote:
> On 2021-01-01 Petter Reinholdtsen <p...@hungry.com> wrote:
>> Is there any hope to have a fix for this in unstable soon?  The
>> issue block ring and opendht from migrating to testing.

> Hello Petter,

> 3.7.0-5 in unstable features the patch from the yet unmerged
> <https://gitlab.com/gnutls/gnutls/-/merge_requests/1370>. I would like
> to give it more testing in unstable than two non-workdays provide,
> though.

Let's let it propagate to testing now.

gnutls28 (3.7.0-4) experimental; urgency=medium

  * Test build of fixes from
    https://gitlab.com/gnutls/gnutls/-/merge_requests/1371 and
    https://gitlab.com/gnutls/gnutls/-/merge_requests/1370/ for #976836 and
    #977552.

 -- Andreas Metzler <ametz...@debian.org>  Tue, 29 Dec 2020 07:52:38 +0100

cu Andreas

--- End Message ---