Ubuntu
gnutls26 package

Bug #1397685
Comment #2

Comment 2 for bug 1397685

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2014-11-30:

Performing https configuration verfication on git.fedorahosted.org:

On Trusty 14.04 LTS, the default gnutls implementation is old 2.6 based:

$ gnutls-cli -V --print-cert -p 443 git.fedorahosted.org </dev/zero | certtool --verify-chain
Certificate[0]: C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc.,CN=*.fedorahosted.org
Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
Verifying against certificate[1].
Verification output: Verified.

Certificate[1]: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
certtool: the last certificate is not self signed

$ echo $?
1

It does not appear to verify the published chain.

Utopic 14.10 uses gnutls 3.x series by default:

# gnutls-cli -V --print-cert -p 443 git.fedorahosted.org </dev/zero | certtool --verify-chain
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Loaded 2 certificates, 1 CAs and 0 CRLs

Subject: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

Subject: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
Checked against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
Output: Verified. The certificate is trusted.

Subject: C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc.,CN=*.fedorahosted.org
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
Checked against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
Output: Verified. The certificate is trusted.

Chain verification output: Verified. The certificate is trusted.

(utopic-amd64)root@djledkov-mobl1:/tmp# echo $?
0

Which appears to be trusted. This looks odd, but not fatal as fresh trusty-amd64 in a chroot does seem to be operating correctly.

Performing https configuration verfication on git.fedorahosted.org:

On Trusty 14.04 LTS, the default gnutls implementation is old 2.6 based:

$ gnutls-cli -V --print-cert -p 443 git.fedorahosted.org </dev/zero  | certtool --verify-chain
Certificate[0]: C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc.,CN=*.fedorahosted.org
	Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Verifying against certificate[1].
	Verification output: Verified.

Certificate[1]: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
certtool: the last certificate is not self signed

$ echo $?
1

It does not appear to verify the published chain.

Utopic 14.10 uses gnutls 3.x series by default:

# gnutls-cli -V --print-cert -p 443 git.fedorahosted.org </dev/zero  | certtool --verify-chain
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Loaded 2 certificates, 1 CAs and 0 CRLs

Subject: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
	Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

Subject: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
	Checked against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Output: Verified. The certificate is trusted.

Subject: C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc.,CN=*.fedorahosted.org
	Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Checked against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Output: Verified. The certificate is trusted.

Chain verification output: Verified. The certificate is trusted.

(utopic-amd64)root@djledkov-mobl1:/tmp# echo $?
0

Which appears to be trusted. This looks odd, but not fatal as fresh trusty-amd64 in a chroot does seem to be operating correctly.

Ubuntugnutls26 package

Comment 2 for bug 1397685

Ubuntu
gnutls26 package