On 2021.11.23 14:43, Branko Grubić wrote:
Hi,
I have few applications which use webkit-gtk and gnutls behind as far
as I know, recently I noticed that RSS feeds for some distrowatch.com
subscriptions I had started to fail, initially I did ignore them I
thought something is wrong on the server side and it was not critical.
But since it wasn't fixed I started to investigate a little bit more.
So, in the end it seems to be related to gnutls on Gentoo (I'm running
~amd64)
net-libs/gnutls-3.7.2 abi_x86_64 cxx idn nls openssl seccomp tls-
heartbeat tools
Important note, websites using Let's Encrypt certificates work fine,
except this one (only example known to me). Based on the output of
`gnutls-cli` it seems that server certificate is served twice compared
to other working ones (I could be wrong).
Example output:
$ gnutls-cli distrowatch.com:443
Processed 130 CA certificate(s).
Resolving 'distrowatch.com:443'...
Connecting to '82.103.129.71:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits,
signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires
`2021-12-14 03:49:14 UTC', pin-
sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI="
Public Key ID:
sha1:fcd2b25ac6ffd73fce3ef65211defd25331dc151
sha256:4285b5b620c613c4b714bba4c3ceb244bf087debd138fc6
7c74ab056ebbfad42
Public Key PIN:
pin-
sha256:QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=
- Certificate[1] info:
- subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits,
signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires
`2021-12-14 03:49:14 UTC', pin-
sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI="
- Certificate[2] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root
X1,O=Internet Security Research Group,C=US', serial
0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using
RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15
16:00:00 UTC', pin-
sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US',
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using
RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30
18:14:03 UTC', pin-
sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is
unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
Firefox and Chrome open website just fine, no complains. Also openssl
client doesn't complain if I read the output right.
I have tested this on Fedora 35 as well using gnutls-cli, it comes
with
same gnutls release, and has no issues connecting to problematic host.
So I suspect it's something to do with my system, Gentoo ebuild, or
combination of libraries used for gnutls on my Gentoo system.
I have found an interesting (similar) bug[1] which was fixed in the
current release (fix is included in 3.7.2 based on the NEWS/Release
notes) where gnutls would fail if Root CA certificate is present twice
in the chain.
Can anyone confirm it happening on their system as well, I was not
sure
should I open a Gentoo bug.
Regards,
Branko
[1] https://gitlab.com/gnutls/gnutls/-/issues/1131
OK, diff of your output to mine:
1,2c1,2
< $ gnutls-cli distrowatch.com:443
< Processed 130 CA certificate(s).
---
$gnutls-cli distrowatch.com:443
Processed 128 CA certificate(s).
21,23c21,29
< - Status: The certificate is NOT trusted. The certificate issuer is
unknown.
< *** PKI verification of server certificate failed...
< *** Fatal error: Error in the certificate.
---
- Status: The certificate is trusted.
- Description:
(TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID:
83:62:97:D1:C0:77:19:76:F8:2F:41:7E:DD:CD:C5:A6:35:2A:5D:4C:39:B4:F5:12:CA:09:0F:07:26:BA:83:5F
- Options:
- Handshake was completed
- Simple Client Mode:
- Peer has closed the GnuTLS connection
So I have two fewer CA Certs than you do, but somehow I know the issuer
and you do not.
I have app-misc/ca-certificates 20210119.3.66, but there are two ~
versions. I wonder if something got dropped (whether intentionally or
not.)
