1 |
On 2021.11.23 14:43, Branko Grubić wrote: |
2 |
> Hi, |
3 |
> |
4 |
> I have few applications which use webkit-gtk and gnutls behind as far |
5 |
> as I know, recently I noticed that RSS feeds for some distrowatch.com |
6 |
> subscriptions I had started to fail, initially I did ignore them I |
7 |
> thought something is wrong on the server side and it was not critical. |
8 |
> |
9 |
> But since it wasn't fixed I started to investigate a little bit more. |
10 |
> |
11 |
> So, in the end it seems to be related to gnutls on Gentoo (I'm running |
12 |
> ~amd64) |
13 |
> |
14 |
> net-libs/gnutls-3.7.2 abi_x86_64 cxx idn nls openssl seccomp tls- |
15 |
> heartbeat tools |
16 |
> |
17 |
> Important note, websites using Let's Encrypt certificates work fine, |
18 |
> except this one (only example known to me). Based on the output of |
19 |
> `gnutls-cli` it seems that server certificate is served twice compared |
20 |
> to other working ones (I could be wrong). |
21 |
> |
22 |
> Example output: |
23 |
> $ gnutls-cli distrowatch.com:443 |
24 |
> Processed 130 CA certificate(s). |
25 |
> Resolving 'distrowatch.com:443'... |
26 |
> Connecting to '82.103.129.71:443'... |
27 |
> - Certificate type: X.509 |
28 |
> - Got a certificate list of 4 certificates. |
29 |
> - Certificate[0] info: |
30 |
> - subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US', |
31 |
> serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits, |
32 |
> signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires |
33 |
> `2021-12-14 03:49:14 UTC', pin- |
34 |
> sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=" |
35 |
> Public Key ID: |
36 |
> sha1:fcd2b25ac6ffd73fce3ef65211defd25331dc151 |
37 |
> sha256:4285b5b620c613c4b714bba4c3ceb244bf087debd138fc6 |
38 |
> 7c74ab056ebbfad42 |
39 |
> Public Key PIN: |
40 |
> pin- |
41 |
> sha256:QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI= |
42 |
> |
43 |
> - Certificate[1] info: |
44 |
> - subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US', |
45 |
> serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits, |
46 |
> signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires |
47 |
> `2021-12-14 03:49:14 UTC', pin- |
48 |
> sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=" |
49 |
> - Certificate[2] info: |
50 |
> - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root |
51 |
> X1,O=Internet Security Research Group,C=US', serial |
52 |
> 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using |
53 |
> RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 |
54 |
> 16:00:00 UTC', pin- |
55 |
> sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" |
56 |
> - Certificate[3] info: |
57 |
> - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', |
58 |
> issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial |
59 |
> 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using |
60 |
> RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 |
61 |
> 18:14:03 UTC', pin- |
62 |
> sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" |
63 |
> - Status: The certificate is NOT trusted. The certificate issuer is |
64 |
> unknown. |
65 |
> *** PKI verification of server certificate failed... |
66 |
> *** Fatal error: Error in the certificate. |
67 |
> |
68 |
> |
69 |
> Firefox and Chrome open website just fine, no complains. Also openssl |
70 |
> client doesn't complain if I read the output right. |
71 |
> |
72 |
> |
73 |
> I have tested this on Fedora 35 as well using gnutls-cli, it comes |
74 |
> with |
75 |
> same gnutls release, and has no issues connecting to problematic host. |
76 |
> So I suspect it's something to do with my system, Gentoo ebuild, or |
77 |
> combination of libraries used for gnutls on my Gentoo system. |
78 |
> |
79 |
> I have found an interesting (similar) bug[1] which was fixed in the |
80 |
> current release (fix is included in 3.7.2 based on the NEWS/Release |
81 |
> notes) where gnutls would fail if Root CA certificate is present twice |
82 |
> in the chain. |
83 |
> |
84 |
> Can anyone confirm it happening on their system as well, I was not |
85 |
> sure |
86 |
> should I open a Gentoo bug. |
87 |
> |
88 |
> Regards, |
89 |
> Branko |
90 |
> |
91 |
> |
92 |
> [1] https://gitlab.com/gnutls/gnutls/-/issues/1131 |
93 |
Works fine for me, after recompiling gnutls to add nls and tools. I |
94 |
haven't compared the outputs completely, but first pass I don't see any |
95 |
differences, although I could easily have missed one. |
96 |
|
97 |
$gnutls-cli distrowatch.com:443 |
98 |
Processed 128 CA certificate(s). |
99 |
Resolving 'distrowatch.com:443'... |
100 |
Connecting to '82.103.129.71:443'... |
101 |
- Certificate type: X.509 |
102 |
- Got a certificate list of 4 certificates. |
103 |
- Certificate[0] info: |
104 |
- subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US', |
105 |
serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits, |
106 |
signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires |
107 |
`2021-12-14 03:49:14 UTC', |
108 |
pin-sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=" |
109 |
Public Key ID: |
110 |
sha1:fcd2b25ac6ffd73fce3ef65211defd25331dc151 |
111 |
|
112 |
sha256:4285b5b620c613c4b714bba4c3ceb244bf087debd138fc67c74ab056ebbfad42 |
113 |
Public Key PIN: |
114 |
pin-sha256:QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI= |
115 |
|
116 |
- Certificate[1] info: |
117 |
- subject `CN=distrowatch.com', issuer `CN=R3,O=Let's Encrypt,C=US', |
118 |
serial 0x0408fd5a5ae26286bed92e97da0c830f623c, RSA key 2048 bits, |
119 |
signed using RSA-SHA256, activated `2021-09-15 03:49:15 UTC', expires |
120 |
`2021-12-14 03:49:14 UTC', |
121 |
pin-sha256="QoW1tiDGE8S3FLukw86yRL8IfevROPxnx0qwVuu/rUI=" |
122 |
- Certificate[2] info: |
123 |
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root |
124 |
X1,O=Internet Security Research Group,C=US', serial |
125 |
0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using |
126 |
RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 |
127 |
16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" |
128 |
- Certificate[3] info: |
129 |
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', |
130 |
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial |
131 |
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using |
132 |
RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 |
133 |
18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" |
134 |
- Status: The certificate is trusted. |
135 |
- Description: |
136 |
(TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) |
137 |
- Session ID: |
138 |
83:62:97:D1:C0:77:19:76:F8:2F:41:7E:DD:CD:C5:A6:35:2A:5D:4C:39:B4:F5:12:CA:09:0F:07:26:BA:83:5F |
139 |
- Options: |
140 |
- Handshake was completed |
141 |
|
142 |
- Simple Client Mode: |
143 |
|
144 |
- Peer has closed the GnuTLS connection |