[gnutls-devel] Unable to trust server certificate instead of issueing CA

Andreas Metzler ametzler at bebt.de
Wed Dec 3 20:01:25 CET 2014 

Hello,

This came up on d-d
<http://article.gmane.org/gmane.linux.debian.devel.general/199833>:

With gnutls 3.3.* it seems to be impossible to trust server
certificate instead of the signing authority:

--------------------------------------------
ametzler at argenau:~$ gnutls-cli --x509cafile=/tmp/GNUTLS/buildd.debian.org.pem  buildd.debian.org
Processed 1 CA certificate(s).
Resolving 'buildd.debian.org'...
Connecting to '5.153.231.18:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `OU=Domain Control Validated,OU=Gandi Standard SSL,CN=buildd.debian.org', issuer `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', RSA key 3072 bits, signed using RSA-SHA1, activated `2013-12-31 00:00:00 UTC', expires `2014-12-31 23:59:59 UTC', SHA-1 fingerprint `2cdbdc8f013e50e9834cbdca02ecaea7f3982ed4'
        Public Key ID:
                787e4e3917a1f7f8962f10ea72a89e6dee922952
        Public key's random art:
                +--[ RSA 3072]----+
                |                 |
                |                 |
                |            .    |
                |       .   ...   |
                |      . S ..o.   |
                |    E  o  .o.+   |
                |   .   o.o= o... |
                |  . . +o++oo .+  |
                |   . o+*+o.  ..o.|
                +-----------------+

- Certificate[1] info:
 - subject `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', issuer `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-10-23 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `a9f79883a075ce82d20d274d1368e876140d33b3'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
--------------------------------------------

This used to work in 2.x. Is this an intentional change?

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list