[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: curl server certificate verification failed for a few sites

From: Tobias Geerinckx-Rice
Subject: Re: curl server certificate verification failed for a few sites
Date: Sat, 06 Jun 2020 16:29:26 +0200


Giovanni Biscuolo 写道:
...and sorry again to all other Guix users for the "noise": this is not
strictly related to Guix but just to the most recent version of

Don't be. It was a legitimate bug in a Guix package. Thanks to Marius for the quick fix, by the way!

I still I don't understand the differences between curl (and wget) behaviour and the last Guix available ungoogled-chromium (see below).

The expiration of the Sectigo root triggered a dormant bug in GnuTLS. Users of other crypto libraries were unaffected.

I guess that this information, client side, is the same for all browsers
and CLI interfaces (like curl) since long ago: right?

Yes. Including GnuTLS. It had the right data but drew the wrong conclusion from it.

It seems that ungoogled-chromium stops the verification at the level=1 certificate:

As your browser and SSLLabs knew, there *was* a valid chain (two, even) and GnuTLS should have returned success. Instead it reported failure because there was *also* an invalid expired one.

At the risk of being flamed for oversimplifying: paranoid GnuTLS was using AND where it should have used OR.

Here's the actual bug report: <>.

(I think the server's still sending too many intermediates, but at least now all clients will correctly ignore them. They'll just waste some bandwidth on every handshake.)

Kind regards,


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]