GNUTLS:
- gnutls passes all certificates in /etc/ssl/certs/ca-certificates.crt
- the server secure-test.streamline-esolutions.com returns a certificate that is signed with the Verisign_Class_3_Public_Primary_Certification_Authority.pem certificate with the fingerprint "openssl x509 -in Verisign_Class_3_Public_Primary_Certification_Authority.pem -noout -fingerprint
SHA1 Fingerprint=A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B"
- the server does *not* return this certificate though, it returns a weaker md2 certificate
- the "A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B"" certificate is part of the trusted certs so gnutls is happy
GIO:
- gio-network is looking at each of the certificates in the certification chain retuned by the server
- it will *not* load all certificates from /etc/ssl/certs/ca-certificates.crt for verification, but *only* those that are also returned by the server as part of the verification chain
- the server only returns the weak md2 ceritificate and not the stronger A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B certificate
- gio can not find the md2 certificate as we do not ship that
- gio fails with a error as it does not find root certificate from the server that is also in the local /etc/ssl/certs/ca-certificates.crt
This indicates server misconfiguration IMO plus a it seems that gio is overly restrictive here. It could simply pass all data to gnutls for the verification.
It seems like the problem is the following:
GNUTLS: certs/ca- certificates. crt test.streamline -esolutions. com returns a certificate that is signed with the Verisign_ Class_3_ Public_ Primary_ Certification_ Authority. pem certificate with the fingerprint "openssl x509 -in Verisign_ Class_3_ Public_ Primary_ Certification_ Authority. pem -noout -fingerprint A1:DB:63: 93:91:6F: 17:E4:18: 55:09:40: 04:15:C7: 02:40:B0: AE:6B" 63:93:91: 6F:17:E4: 18:55:09: 40:04:15: C7:02:40: B0:AE:6B" " certificate is part of the trusted certs so gnutls is happy
- gnutls passes all certificates in /etc/ssl/
- the server secure-
SHA1 Fingerprint=
- the server does *not* return this certificate though, it returns a weaker md2 certificate
- the "A1:DB:
GIO: certs/ca- certificates. crt for verification, but *only* those that are also returned by the server as part of the verification chain 93:91:6F: 17:E4:18: 55:09:40: 04:15:C7: 02:40:B0: AE:6B certificate certs/ca- certificates. crt
- gio-network is looking at each of the certificates in the certification chain retuned by the server
- it will *not* load all certificates from /etc/ssl/
- the server only returns the weak md2 ceritificate and not the stronger A1:DB:63:
- gio can not find the md2 certificate as we do not ship that
- gio fails with a error as it does not find root certificate from the server that is also in the local /etc/ssl/
This indicates server misconfiguration IMO plus a it seems that gio is overly restrictive here. It could simply pass all data to gnutls for the verification.