[gnutls-help] certificate issuer validation issue
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Tue Aug 18 19:45:24 CEST 2015
On Fri, 2015-08-14 at 16:27 +0200, Andreas Müller wrote:
> >The best would be to report that to debian instead. In any case,
> > what
> > is the certificate chain that cannot be validated? Do you know
> > which
> > CA certificates were removed by the update?
> >
> > regards,
> > Nikos
> Debian basically get's the bundle from mozilla and it seems that one
> of the certificates in the chain has been removed indeed.
> CN = Thawte Premium Server CA
> SHA1 Fingerprint:
> 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
> (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out
> -certificates-with-1024-bit-rsa-keys/)
Mozilla has removed the 1024-bit CAs, however, it gnutls (3.3.x+) is
capable of detecting an alternative path.
In my debian (testing) system, certtool --verify and this chain gives:
Subject: C=US,O=thawte\, Inc.,OU=Certification Services
Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte
Primary Root CA
Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server CA,
EMAIL=premium-server at thawte.com
Output: Not verified. The certificate is NOT trusted. The
certificate issuer is unknown.
Subject: C=US,O=thawte\, Inc.,OU=Certification Services
Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte
Primary Root CA
Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server CA,
EMAIL=premium-server at thawte.com
Checked against: C=US,O=thawte\, Inc.,OU=Certification
Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use
only,CN=thawte Primary Root CA
Output: Verified. The certificate is trusted.
Subject: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA
Issuer: C=US,O=thawte\, Inc.,OU=Certification Services
Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte
Primary Root CA
Checked against: C=US,O=thawte\, Inc.,OU=Certification
Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use
only,CN=thawte Primary Root CA
Output: Verified. The certificate is trusted.
Subject: C=DE,ST=NRW,L=Duesseldorf,O=Vodafone D2
GmbH,CN=pop3.arcor.de
Issuer: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA
Checked against: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
To verify the chain gnutls tries first to find the 1024-bit CA called
"C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server CA,
EMAIL=premium-server at thawte.com"
Since that is not available it tries to find the issuer of the next
certificate in the chain which is:
"C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006
thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA"
And indeed there is a new CA which signs that certificate (see the
"Checked against" entry).
What do you see in your system for the same command?
regards,
Nikos
More information about the Gnutls-help
mailing list