| 1 |
Hi, |
| 2 |
|
| 3 |
I have few applications which use webkit-gtk and gnutls behind as far |
| 4 |
as I know, recently I noticed that RSS feeds for some distrowatch.com |
| 5 |
subscriptions I had started to fail, initially I did ignore them I |
| 6 |
thought something is wrong on the server side and it was not critical. |
| 7 |
|
| 8 |
But since it wasn't fixed I started to investigate a little bit more. |
| 9 |
|
| 10 |
So, in the end it seems to be related to gnutls on Gentoo (I'm running |
| 11 |
~amd64) |
| 12 |
|
| 13 |
net-libs/gnutls-3.7.2 abi_x86_64 cxx idn nls openssl seccomp tls- |
| 14 |
heartbeat tools |
| 15 |
|
| 16 |
Important note, websites using Let's Encrypt certificates work fine, |
| 17 |
except this one (only example known to me). Based on the output of |
| 18 |
`gnutls-cli` it seems that server certificate is served twice compared |
| 19 |
to other working ones (I could be wrong). |
| 20 |
|
| 21 |
Example output: |
| 22 |
$ gnutls-cli distrowatch.com:443 |
| 23 |
Processed 130 CA certificate(s). |
| 24 |
Resolving 'distrowatch.com:443'... |
| 25 |
Connecting to '82.103.129.71:443'... |
| 26 |
- Certificate type: X.509 |
| 27 |
- Got a certificate list of 4 certificates. |
| 28 |
- Certificate[0] info: |
| 29 |
- subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US', |
| 30 |
serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits, |
| 31 |
signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires |
| 32 |
`2021-12-14 03:49:14 UTC', pin- |
| 33 |
sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=" |
| 34 |
Public Key ID: |
| 35 |
sha1:fcd2b25ac6ffd73fce3ef65211defd25331dc151 |
| 36 |
sha256:4285b5b620c613c4b714bba4c3ceb244bf087debd138fc6 |
| 37 |
7c74ab056ebbfad42 |
| 38 |
Public Key PIN: |
| 39 |
pin- |
| 40 |
sha256:QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI= |
| 41 |
|
| 42 |
- Certificate[1] info: |
| 43 |
- subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US', |
| 44 |
serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits, |
| 45 |
signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires |
| 46 |
`2021-12-14 03:49:14 UTC', pin- |
| 47 |
sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=" |
| 48 |
- Certificate[2] info: |
| 49 |
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root |
| 50 |
X1,O=Internet Security Research Group,C=US', serial |
| 51 |
0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using |
| 52 |
RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 |
| 53 |
16:00:00 UTC', pin- |
| 54 |
sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" |
| 55 |
- Certificate[3] info: |
| 56 |
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', |
| 57 |
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial |
| 58 |
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using |
| 59 |
RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 |
| 60 |
18:14:03 UTC', pin- |
| 61 |
sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" |
| 62 |
- Status: The certificate is NOT trusted. The certificate issuer is |
| 63 |
unknown. |
| 64 |
*** PKI verification of server certificate failed... |
| 65 |
*** Fatal error: Error in the certificate. |
| 66 |
|
| 67 |
|
| 68 |
Firefox and Chrome open website just fine, no complains. Also openssl |
| 69 |
client doesn't complain if I read the output right. |
| 70 |
|
| 71 |
|
| 72 |
I have tested this on Fedora 35 as well using gnutls-cli, it comes with |
| 73 |
same gnutls release, and has no issues connecting to problematic host. |
| 74 |
So I suspect it's something to do with my system, Gentoo ebuild, or |
| 75 |
combination of libraries used for gnutls on my Gentoo system. |
| 76 |
|
| 77 |
I have found an interesting (similar) bug[1] which was fixed in the |
| 78 |
current release (fix is included in 3.7.2 based on the NEWS/Release |
| 79 |
notes) where gnutls would fail if Root CA certificate is present twice |
| 80 |
in the chain. |
| 81 |
|
| 82 |
Can anyone confirm it happening on their system as well, I was not sure |
| 83 |
should I open a Gentoo bug. |
| 84 |
|
| 85 |
Regards, |
| 86 |
Branko |
| 87 |
|
| 88 |
|
| 89 |
[1] https://gitlab.com/gnutls/gnutls/-/issues/1131 |
Archives