Your message dated Sat, 11 Jul 2020 11:47:10 +0000 with message-id <[email protected]> and subject line Bug#961889: fixed in gnutls28 3.6.7-4+deb10u5 has caused the Debian Bug report #961889, regarding src:gnutls28: Fails building chains with expired intermediate regardless of trust store to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 961889: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961889 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:gnutls28 Version: 3.6.7-4+deb10u3 Severity: grave Justification: renders package unusable Hi, gnutls appears to fail building a certificate chain, if: - the server sends an alternate chain with an expired intermediate - a matching root is in the local trust store. This was found because the "AddTrust External CA Root" [1] expired today, and it was used - a long time ago - to cross-sign the "USERTrust RSA Certification Authority" Root CA. When a server sends the cross-signed certificate, gnutls thinks the entire chain is invalid, even though the not-expired root is contained in its trust store. Example: $ gnutls-cli apt.puppet.com:443 Processed 129 CA certificate(s). Resolving 'apt.puppet.com:443'... Connecting to '2600:9000:2043:2200:1d:fc37:1cc0:93a1:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=apt.puppet.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated', issuer `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial 0x00d50b93f3f071150e62d87aee147a1520, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-07-18 00:00:00 UTC', expires `2020-07-18 23:59:59 UTC', pin-sha256="oBlhqVlMzd0j01OweaExY7LRykSLER7Cyml3qM9Rp4M=" Public Key ID: sha1:c94ab18efcc44ba3c51d39f831a734ad4e78e60b sha256:a01961a9594ccddd23d353b079a13163b2d1ca448b111ec2ca6977a8cf51a783 Public Key PIN: pin-sha256:oBlhqVlMzd0j01OweaExY7LRykSLER7Cyml3qM9Rp4M= - Certificate[1] info: - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 23:59:59 UTC', pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=" - Certificate[2] info: - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. Note that modern browsers, and OpenSSL 1.1.1 has no problem with this server. Obviously, this also breaks APT. I'm marking this grave, as GnuTLS doesn't seem to follow standards here, various other software just works, GnuTLS-using clients all break, and many many sites on the public Internet send the cross-signed certificate. Thanks, Chris [1] https://crt.sh/?id=1 -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: gnutls28 Source-Version: 3.6.7-4+deb10u5 Done: Andreas Metzler <[email protected]> We believe that the bug you reported is fixed in the latest version of gnutls28, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <[email protected]> (supplier of updated gnutls28 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Jun 2020 07:45:55 +0200 Source: gnutls28 Architecture: source Version: 3.6.7-4+deb10u5 Distribution: buster Urgency: medium Maintainer: Debian GnuTLS Maintainers <[email protected]> Changed-By: Andreas Metzler <[email protected]> Closes: 956649 958704 961889 Changes: gnutls28 (3.6.7-4+deb10u5) buster; urgency=medium . * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch from GNUTLS 3.6.11: Fix TL1.2 resumption errors. Closes: #956649 * 47_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch from GNUTLS 3.6.14: One line fix for memory leak. Closes: #958704 * Rename 44_rel3.6.14_01-stek-differentiate-initial-state-from-valid-time-win.patch (security upload) to 44_rel3.6.14_90_... to be able to pull earlier fixes from 3.6.14 and have correct patch filename order. * 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch from GnuTLS 3.6.14: Handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286) * 44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch 44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch 44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch backported from GnuTLS 3.6.14: Fix verification error with alternate chains. Closes: #961889 Checksums-Sha1: 0f3085ef934677faf9868dac0a6b1e66e11ffbb6 3354 gnutls28_3.6.7-4+deb10u5.dsc aaa80acf0e41d6b8caaf179a61f31b4ee0908feb 89484 gnutls28_3.6.7-4+deb10u5.debian.tar.xz Checksums-Sha256: d91aef3a450b7dceef817264996a3c11b72dd7fb8e892897b63d7e52bd078e4a 3354 gnutls28_3.6.7-4+deb10u5.dsc d719d468f59aef1c480dda91ffee6d0c728e8635a0808f199d999d04f128b70a 89484 gnutls28_3.6.7-4+deb10u5.debian.tar.xz Files: fd8beca0f120bfb950ca710e74b8f5de 3354 libs optional gnutls28_3.6.7-4+deb10u5.dsc 87d11e99d6d39916de65b019d7cd0e87 89484 libs optional gnutls28_3.6.7-4+deb10u5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAl7ci0IACgkQpU8BhUOC FISOjxAAimH9ysVEGp2n+hXgwhLiCO3aKLaLsG56g1gd9QDuDOrCcvcg3QqNT+vN 5uh8+UY9e3HlZPQREeOU2BNxn8iHjj4LulrhSfie39Yuw5UZClLqSPQ5XA3AKBG4 gqtZ6Ay86Y+uHjeBynlhOCTmeYOQFPF6k0bMdeX9LvKl9iMnh0VSlpyy+/Wcw/dk cvuk/QF/cOUQzhdFwJHVxkNnpLkRTj+hHmEHqwLxYf4TCAEzwyMFiawoGam+TOUG wF6iFEyihj3DMZDJqOBPgsQfpzICIXjcOHCI6TvToCQNjryGU33ZpUGsxoHTSUET ut9jhT4MyNL1Vu09wUP038w0Kfhm3cByH9vNtsPxufAsUoHTvKbDUnZ3/djZPDoJ xdoGVJttoCtXeS1GrR0KwgubDsfHVJDygZkkgWUdlnN5CiGRitFOgvSWSCB32kjT QXTvXr1F+0nCnReu9kribhptNNhip9H/OROZjt9FPCPMNgujVrfHNm+we4TiV5Xl fU4ZaB0xWnWT+i19rIhPMVl7a4MoFfxW5elJ+ufa2cKXqsf/s2hL/7wctofSWXzw 9GWYuH8Ft2yFTsIF730OGhFGbDa4bnesLhbM2AXCvlRfG2E/0zrE5znbLfklCMOs yfHbgZjppf00oRITAP84LgNk4wqxFfxBM9lnLM7UPaygdqMB4qQ= =W8Lc -----END PGP SIGNATURE-----
--- End Message ---
