Public bug reported: Ubuntu version: 14.04
Affected package versions: - 2.12.23-12ubuntu2.4 - 2.12.23-12ubuntu2.5 Unaffected package versions: - 2.12.23-12ubuntu2.3 and older Description: When trying to connect to servers that have a RSA-MD5 signature in their certificate chain, gnutls26 fails to connect with "The signature algorithm is not supported." The root certificate of cacert uses RSA-MD5, so this can be reproduced by trying to connect to any server that uses their certs Downgrading to 2.12.23-12ubuntu2.3 workarounds the issue. This error originally appeared when trying to connect to jabber.ccc.de from bitlbee 3.2.1+otr4-1ubuntu0.2. gnutls28 is unaffected - The user who reported the issue moved to the bitlbee nightly build apt repo, which compiles against gnutls28 instead of 26, and that "fixed" the issue. OpenSSL has no issues connecting either. Actual behavior (with 2.12.23-12ubuntu2.4): $ gnutls-cli cacert.org Resolving 'cacert.org'... Connecting to '213.154.225.245:443'... *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized *** Fatal error: The signature algorithm is not supported. *** Handshake has failed GnuTLS error: The signature algorithm is not supported. Expected behavior (with 2.12.23-12ubuntu2.3): $ gnutls-cli cacert.org Resolving 'cacert.org'... Connecting to '213.154.225.245:443'... *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized - Ephemeral Diffie-Hellman parameters - Using prime: 2048 bits - Secret key: 2047 bits - Peer's public key: 2046 bits - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=AU,ST=NSW,L=Sydney,O=CAcert Inc.,CN=www.cacert.org', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 2048 bits, signed using RSA-SHA512, activated `2014-04-28 20:57:55 UTC', expires `2016-04-27 20:57:55 UTC', SHA-1 fingerprint `bea40d514ab303db57fa1598efdc02c9b519a910' - Certificate[1] info: - subject `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', issuer `O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=supp...@cacert.org', RSA key 4096 bits, signed using RSA-MD5 (broken!), activated `2003-03-30 12:29:49 UTC', expires `2033-03-29 12:29:49 UTC', SHA-1 fingerprint `135cec36f49cb8e93b1ab270cd80884676ce8f33' - The hostname in the certificate matches 'cacert.org'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: DHE-RSA - Cipher: AES-256-CBC - MAC: SHA256 - Compression: NULL - Handshake was completed ** Affects: gnutls26 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553819 Title: Regression in trusty's gnutls26, can't connect to servers with RSA-MD5 certs (cacert) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1553819/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
