Package: libgnutls28 Version: 3.0.22-2 Severity: important
In gnutls 3.1 it is possible to verify authenticity of server that supplies certificate chain which is not sorted. eg. server has certificate S which is signed by intermediate I which is signed by CA root R. The server supplies chain S R I which is verified by gnutls 3.1 but not 3.0. Such servers exist in the wild so this is clearly an interoporebility issue. In gnutls 3.1.3 GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN flag is available and defaults to on. When this flag is set such chain is verified without issues. Thanks Michal -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (990, 'stable'), (500, 'testing'), (400, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libgnutls28 depends on: ii libc6 2.13-35 Embedded GNU C Library: Shared lib ii libgmp10 2:5.0.5+dfsg-2 Multiprecision arithmetic library ii libhogweed2 2.5-1 low level cryptographic library (p ii libnettle4 2.5-1 low level cryptographic library (s ii libp11-kit0 0.12-3 Library for loading and coordinati ii libtasn1-3 2.14-2 Manage ASN.1 structures (runtime) ii multiarch-support 2.13-35 Transitional package to ensure mul ii zlib1g 1:1.2.7.dfsg-13 compression library - runtime libgnutls28 recommends no packages. Versions of packages libgnutls28 suggests: ii gnutls-bin 3.1.3-1 GNU TLS library - commandline util -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

