Hi, I recently started to move parts of debian.org's infrastructure to jessie. I noticed a regression with software using curl to do https with certificate verification.
On wheezy, this works: | weasel@mipsel-manda-01:~$ cat /etc/apt/apt.conf.d/puppet-https-buildd | Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt"; | weasel@mipsel-manda-01:~$ tail -n1 /etc/apt/sources.list.d/buildd.debian.org.list | deb https://buildd.debian.org/apt/ wheezy main I.e., I can use a local copy of the expected end-entity certificate to authenticate a https server. On jessie this no longer works: } Err https://buildd.debian.org wheezy/main mipsel Packages } server certificate verification failed. CAfile: /etc/ssl/servicecerts/buildd.debian.org.crt CRLfile: none Instead, I have to trust the corresponding root certificate or an intermediate (#771404). I noticed a similar issue with git, where using the EE-certificate or an intermediate as http.sslCAInfo fails to authenticate the server (#771170). Is this intentional, or is that a bug in either gnutls, curl, or the software using these libraries? I suspect that other users of curl/gnutls might be affected as well, and that saying "I only trust this exact certificate" is not a crazy and rare use-case. Thus, I'd like to learn more here and ideally have this resolved for jessie. Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141129121020.gy20...@anguilla.noreply.org
