Bug#563127: gnutls-bin: Can no longer verify connections to my company's email server

Thu Dec 31 14:43:13 UTC 2009

On Thu, 2009-12-31 at 14:09 +0100, Andreas Metzler wrote:
> On 2009-12-31 Sam Morris <sam at robots.org.uk> wrote:
> > On Thu, 2009-12-31 at 09:22 +0100, Andreas Metzler wrote:
> [...]
> >> color me stupid, but I cannot find any reference to the certificate in
> >> the file /etc/ssl/certs/Go_Daddy_Class_2_CA.pem (C=US,O=The Go Daddy
> >> Group\, Inc.,OU=Go Daddy Class 2 Certification Authority valid
> >> 2004-2034) in the debugging output. I think you need to use
> >> /etc/ssl/certs/ValiCert_Class_2_VA.pem instead.
> 
> > *blinks* hm, indeed! However I get the same 'Peer's certificate issuer
> > is not a CA' message with that certificate as well.
> 
> > I would be grateful if you could try to confirm this yourself -- the
> > server is XXXXXXXXXXXXXXXXXXXXXXX. Sorry to be a bother, but I'm rather
> > stumped as to why this has ceased to work recently.
> [...]
> 
> Hello,
> Taking this back to the BTS, to keep the other maintainers in the
> boat.
> 
> The toplevel certificate
> 
> ------------------------
> Subject: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCertClass 2 Policy Validation Authority,CN=http://www.valicert.com/,EMAIL=info@valicert.com
> SHA-1 fingerprint: 317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca6
> ------------------------
> 
> is a V1 CA. GnuTLS does not accept V1 CAs by default. (The version of
> GnuTLS in lenny is patched to behave differently.)

Ah, thanks very much for this information! That explains it.

> Possible workarounds:
> * --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT
> * Make one of the two intermediary certificates or the server
>   certificate itself trusted.
> 
> Was this certificate really issued April 2009? Is Godaddy still using
> their V1 CA?

Yes, the certificate is from April 2009. Godaddy may have changed their
procedures since then though.

Thanks again for your analysis.

> 
> cu andreas
> 

-- 
Sam Morris <sam at robots.org.uk>