Bug#563127: gnutls-bin: Can no longer verify connections to my company's email server

Thu Dec 31 13:09:34 UTC 2009

On 2009-12-31 Sam Morris <sam at robots.org.uk> wrote:
> On Thu, 2009-12-31 at 09:22 +0100, Andreas Metzler wrote:
[...]
>> color me stupid, but I cannot find any reference to the certificate in
>> the file /etc/ssl/certs/Go_Daddy_Class_2_CA.pem (C=US,O=The Go Daddy
>> Group\, Inc.,OU=Go Daddy Class 2 Certification Authority valid
>> 2004-2034) in the debugging output. I think you need to use
>> /etc/ssl/certs/ValiCert_Class_2_VA.pem instead.

> *blinks* hm, indeed! However I get the same 'Peer's certificate issuer
> is not a CA' message with that certificate as well.

> I would be grateful if you could try to confirm this yourself -- the
> server is XXXXXXXXXXXXXXXXXXXXXXX. Sorry to be a bother, but I'm rather
> stumped as to why this has ceased to work recently.
[...]

Hello,
Taking this back to the BTS, to keep the other maintainers in the
boat.

The toplevel certificate

------------------------
Subject: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCertClass 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
SHA-1 fingerprint: 317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca6
------------------------

is a V1 CA. GnuTLS does not accept V1 CAs by default. (The version of
GnuTLS in lenny is patched to behave differently.)

Possible workarounds:
* --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT
* Make one of the two intermediary certificates or the server
  certificate itself trusted.

Was this certificate really issued April 2009? Is Godaddy still using
their V1 CA?

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'