Bug 1148889 - gnutls_certificate_set_x509_trust_file() has no effect if gnutls_certificate_set_x509_system_trust() is called.
Summary: gnutls_certificate_set_x509_trust_file() has no effect if gnutls_certificate_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnutls
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F21FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2014-10-02 15:14 UTC by David Woodhouse
Modified: 2014-11-01 17:01 UTC (History)
3 users (show)

Fixed In Version: gnutls-3.3.9-1.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-01 17:01:09 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
chain of valid certs for this server (6.36 KB, text/x-vhdl)
2014-10-02 15:14 UTC, David Woodhouse
no flags Details

Description David Woodhouse 2014-10-02 15:14:32 UTC
Created attachment 943418 [details]
chain of valid certs for this server

$ openconnect --cafile scsir-certchain.crt scsir.intel.com
POST https://scsir.intel.com/
Attempting to connect to server 213.190.153.55:443
SSL negotiation with scsir.intel.com
Server certificate verify failed: signer not found


If I hack openconnect's gnutls.c to eliminate the call to gnutls_certificate_set_x509_system_trust() so it's *only* using the user-provided certs, then it works fine. Note that in this case none of the relevant certs are actually *in* the system database. It looks like we just aren't *bothering* with the provided trust file.

Comment 1 Nikos Mavrogiannopoulos 2014-10-09 09:45:31 UTC
The issue has been addressed upstream:

https://gitorious.org/gnutls/gnutls/commit/24c4991469509d7a57d8d61ab619a19a2034bdc7

Comment 2 Fedora Update System 2014-10-13 09:48:35 UTC
gnutls-3.3.9-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/gnutls-3.3.9-1.fc21

Comment 3 Fedora Update System 2014-10-14 04:35:13 UTC
Package gnutls-3.3.9-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.3.9-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12774/gnutls-3.3.9-1.fc21
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-11-01 17:01:09 UTC
gnutls-3.3.9-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.