[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: curl server certificate verification failed for a few sites
From: |
Tobias Geerinckx-Rice |
Subject: |
Re: curl server certificate verification failed for a few sites |
Date: |
Sat, 06 Jun 2020 16:29:26 +0200 |
Giovanni,
Giovanni Biscuolo 写道:
...and sorry again to all other Guix users for the "noise": this
is not
strictly related to Guix but just to the most recent version of
curl/wget
Don't be. It was a legitimate bug in a Guix package. Thanks to
Marius for the quick fix, by the way!
I still I don't understand the differences between curl (and
wget)
behaviour and the last Guix available ungoogled-chromium (see
below).
The expiration of the Sectigo root triggered a dormant bug in
GnuTLS. Users of other crypto libraries were unaffected.
I guess that this information, client side, is the same for all
browsers
and CLI interfaces (like curl) since long ago: right?
Yes. Including GnuTLS. It had the right data but drew the wrong
conclusion from it.
It seems that ungoogled-chromium stops the verification at the
level=1 certificate:
As your browser and SSLLabs knew, there *was* a valid chain (two,
even) and GnuTLS should have returned success. Instead it
reported failure because there was *also* an invalid expired one.
At the risk of being flamed for oversimplifying: paranoid GnuTLS
was using AND where it should have used OR.
Here's the actual bug report:
<https://gitlab.com/gnutls/gnutls/-/issues/1008>.
(I think the server's still sending too many intermediates, but at
least now all clients will correctly ignore them. They'll just
waste some bandwidth on every handshake.)
Kind regards,
T G-R
signature.asc
Description: PGP signature