← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #20477

[Bug 1373422] [NEW] gnutls fails to connect to https://01.org in trusty

  Thread PreviousDate PreviousThread Next 
Public bug reported:

gnutls fails to connect to https://01.org in trusty

In the certificate chain the top level certficate is trusted and is in
/etc/ssl/certs/ca-certificates.crt, and gnutls-cli (3.x based) in utopic
and openssl connect to 01.org just fine.

gnutls-cli (2.6 based) in trusty does not.

Good:
(trusty-amd64)root@DJLEDKOV-MOBL1:~# curl -v https://01.org 
* Rebuilt URL to: https://01.org/
* Hostname was NOT found in DNS cache
*   Trying 198.145.11.105...
* Connected to 01.org (198.145.11.105) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* 	 subject: OU=Domain Control Validated; OU=Issued through Intel Corporation E-PKI Manager; OU=COMODO SSL Unified Communications; CN=01.org
* 	 start date: 2014-04-18 00:00:00 GMT
* 	 expire date: 2017-04-17 23:59:59 GMT
* 	 subjectAltName: 01.org matched
* 	 issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO SSL CA
* 	 SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 01.org
> Accept: */*


Bad:
 gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt 01.org     
Processed 164 CA certificate(s).
Resolving '01.org'...
Connecting to '198.145.11.105:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.


Thus anything that talks to 01.org over https using gnutls (e.g. git with libcur(gnutls)) fails to verify certificates and thus does not work in Trusty.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gnutls-bin 3.0.11+really2.12.23-12ubuntu2.1
ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
Uname: Linux 3.13.0-36-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.4
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Sep 24 14:20:18 2014
InstallationDate: Installed on 2014-08-15 (40 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
SourcePackage: gnutls26
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: gnutls26 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug trusty

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1373422

Title:
  gnutls fails to connect to https://01.org in trusty

Status in “gnutls26” package in Ubuntu:
  New

Bug description:
  gnutls fails to connect to https://01.org in trusty

  In the certificate chain the top level certficate is trusted and is in
  /etc/ssl/certs/ca-certificates.crt, and gnutls-cli (3.x based) in
  utopic and openssl connect to 01.org just fine.

  gnutls-cli (2.6 based) in trusty does not.

  Good:
  (trusty-amd64)root@DJLEDKOV-MOBL1:~# curl -v https://01.org 
  * Rebuilt URL to: https://01.org/
  * Hostname was NOT found in DNS cache
  *   Trying 198.145.11.105...
  * Connected to 01.org (198.145.11.105) port 443 (#0)
  * successfully set certificate verify locations:
  *   CAfile: none
    CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server key exchange (12):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using ECDHE-RSA-AES256-GCM-SHA384
  * Server certificate:
  * 	 subject: OU=Domain Control Validated; OU=Issued through Intel Corporation E-PKI Manager; OU=COMODO SSL Unified Communications; CN=01.org
  * 	 start date: 2014-04-18 00:00:00 GMT
  * 	 expire date: 2017-04-17 23:59:59 GMT
  * 	 subjectAltName: 01.org matched
  * 	 issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO SSL CA
  * 	 SSL certificate verify ok.
  > GET / HTTP/1.1
  > User-Agent: curl/7.35.0
  > Host: 01.org
  > Accept: */*

  
  Bad:
   gnutls-cli -V --x509cafile /etc/ssl/certs/ca-certificates.crt 01.org     
  Processed 164 CA certificate(s).
  Resolving '01.org'...
  Connecting to '198.145.11.105:443'...
  *** Verifying server certificate failed...
  *** Fatal error: Error in the certificate.
  *** Handshake has failed
  GnuTLS error: Error in the certificate.

  
  Thus anything that talks to 01.org over https using gnutls (e.g. git with libcur(gnutls)) fails to verify certificates and thus does not work in Trusty.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: gnutls-bin 3.0.11+really2.12.23-12ubuntu2.1
  ProcVersionSignature: Ubuntu 3.13.0-36.63-generic 3.13.11.6
  Uname: Linux 3.13.0-36-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Sep 24 14:20:18 2014
  InstallationDate: Installed on 2014-08-15 (40 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
  SourcePackage: gnutls26
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1373422/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next