[Bug 1796712] Re: libcurl3-gnutls in trusty fails to verify certificates when certificate chain is out-of-order

Launchpad Bug Tracker 1796712 at bugs.launchpad.net
Wed Jun 2 22:28:12 UTC 2021 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: curl (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1796712

Title:
  libcurl3-gnutls in trusty fails to verify certificates when
  certificate chain is out-of-order

Status in curl package in Ubuntu:
  Confirmed

Bug description:
  libcurl3-gnutls 7.35.0-1ubuntu2.17 fails to verify remote certificate
  if the certificate chain provided is out-of-order. This is caused by
  libgnutls-dev package dependency, since libgnutls26 package is
  apparently long known to have this issue:
  https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1373422

  This bug can be observed with git, which depends on libcurl3-gnutls:

  git clone https://gnunet.org/git/libmicrohttpd.git/
  Cloning into 'libmicrohttpd'...
  fatal: unable to access 'https://gnunet.org/git/libmicrohttpd.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

  libgnutls28 package fixes this issue, since out-of-order certificate
  chains are allowed in that package. I am not very familiar with debian
  packaging process, so I was wondering if it is possible at all to bump
  dependency of libcurl3-gnutls from libgnutls-dev -> libgnutls28-dev
  for trusty.

  libgnutls28-dev conflicts with libgnutls-dev. At first sight, one of
  dependencies of libcurl3-gnutls-dev, lbrtmp-dev, also depends on
  libgnutls-dev. So, again I am not sure if this change is applicable or
  it causes nontrivial reverse-dependency issues.

  Given above bug filed against gnutls26 is still open after 4 years, I
  thought it might be easier to solve it on libcurl dependencies. (Is
  it?)

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1796712/+subscriptions

More information about the foundations-bugs mailing list