Ticket #1356 (closed defect: fixed)
Debian certificate store does not trust InCommon signer
Reported by: | geofft | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | The Distant Future |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: | Debian:762709 |
Description
geofft@leveret:~$ gnutls-cli scripts.mit.edu -p 443 Resolving 'scripts.mit.edu'... Connecting to '18.181.0.43:443'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1022 bits - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `serialNumber=sKLt5io360jM-oAd2EGLNK0EraXwXE46,C=US,ST=Massachusetts,L=Cambridge,O=Massachusetts Institute of Technology,OU=scripts.mit.edu web hosting service,CN=scripts.mit.edu', issuer `C=US,O=GeoTrust\, Inc.,CN=GeoTrust SSL CA', RSA key 4096 bits, signed using RSA-SHA1, activated `2011-05-24 11:40:52 UTC', expires `2016-06-24 16:28:06 UTC', SHA-1 fingerprint `422672285446d04a057fb038d917ab39fa868c02' - Certificate[1] info: - subject `C=US,O=GeoTrust\, Inc.,CN=GeoTrust SSL CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-02-19 22:39:26 UTC', expires `2020-02-18 22:39:26 UTC', SHA-1 fingerprint `780a06f6e9b4061cad0c6502710606eb535f1c26' - The hostname in the certificate matches 'scripts.mit.edu'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode:
You see the same sort of thing with an OpenSSL-using client (openssl, socat, etc.).
I am a little confused, because Iceweasel trusts it just fine, and I _thought_ that Debian had hacked up iceweasel / its libnss3 to use the system certificate store -- also because I thought Debian regularly syncs ca-certificates with the Mozilla list of trusted certs (and then makes some capricious changes on their own like including CACert, but).
Change History
Note: See
TracTickets for help on using
tickets.