Comment 6 for bug 1031333

Michael Vogt (mvo) wrote :

It seems like the problem is the following:

- gnutls passes all certificates in /etc/ssl/certs/ca-certificates.crt
- the server returns a certificate that is signed with the Verisign_Class_3_Public_Primary_Certification_Authority.pem certificate with the fingerprint "openssl x509 -in Verisign_Class_3_Public_Primary_Certification_Authority.pem -noout -fingerprint
SHA1 Fingerprint=A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B"
- the server does *not* return this certificate though, it returns a weaker md2 certificate
- the "A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B"" certificate is part of the trusted certs so gnutls is happy

- gio-network is looking at each of the certificates in the certification chain retuned by the server
- it will *not* load all certificates from /etc/ssl/certs/ca-certificates.crt for verification, but *only* those that are also returned by the server as part of the verification chain
- the server only returns the weak md2 ceritificate and not the stronger A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B certificate
- gio can not find the md2 certificate as we do not ship that
- gio fails with a error as it does not find root certificate from the server that is also in the local /etc/ssl/certs/ca-certificates.crt

This indicates server misconfiguration IMO plus a it seems that gio is overly restrictive here. It could simply pass all data to gnutls for the verification.