[ not sure what's the point of CCing debian-devel, but I kept it. I removed Ian from the chain though, since he hasn't been much involved with curl lately ] On sab, nov 29, 2014 at 01:10:20 +0100, Peter Palfrader wrote: > Hi, > > I recently started to move parts of debian.org's infrastructure to jessie. I > noticed a regression with software using curl to do https with certificate > verification. > > On wheezy, this works: > > | weasel@mipsel-manda-01:~$ cat /etc/apt/apt.conf.d/puppet-https-buildd > | Acquire::https::buildd.debian.org::CaInfo "/etc/ssl/servicecerts/buildd.debian.org.crt"; > | weasel@mipsel-manda-01:~$ tail -n1 /etc/apt/sources.list.d/buildd.debian.org.list > | deb https://buildd.debian.org/apt/ wheezy main > > I.e., I can use a local copy of the expected end-entity certificate to > authenticate a https server. > > On jessie this no longer works: > > } Err https://buildd.debian.org wheezy/main mipsel Packages > } server certificate verification failed. CAfile: /etc/ssl/servicecerts/buildd.debian.org.crt CRLfile: none I assume that this is using apt-transport-https, which in turn uses libcurl3-gnutls. > Is this intentional, or is that a bug in either gnutls, curl, or the software > using these libraries? AFAICT this is due to the gnutls26 -> gnutls28 switch. Using libgnutls-dev to build curl instead of libgnutls28-dev makes it possible to point CURLOPT_CAINFO to a single leaf certificate and have the verification succeed. FWIW the current behaviour is the same with openssl. I don't know if there's a reason for it though. Cheers
Attachment:
signature.asc
Description: Digital signature