libsoup/gnutls: fail to validate common SSL certificates (for example, Google)
- From: Patrick Ohly <patrick ohly gmx de>
- To: distributor-list gnome org
- Subject: libsoup/gnutls: fail to validate common SSL certificates (for example, Google)
- Date: Fri, 24 Jul 2009 13:42:10 +0200
Hello!
With a recent gnutls change, certificate checking become more strict:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514807
This affects major sites like Google, which validate fine in other
programs. Debian has patched gnutls in Etch and Lenny to keep these
certificates working. Other distros haven't done that, among them
Ubuntu.
On those distros it is impossible to use secure https with libsoup with
the affected sites. To make matters worse, some of the Google services
are only available via SSL, like SyncML (affects SyncEvolution 0.9,
http://bugzilla.moblin.org/show_bug.cgi?id=4551).
The general consensus was that instead of patching gnutls, users of it
should be updated whenever possible. One such user is libsoup. As
discussed with its maintainer on IRC and in the bug report (see below),
doing it inside libsoup is considered safe because of the definition of
the libsoup API (the CA cert files should only contain CA certs, not the
problematic personal certs).
A patch for this was submitted and included in 2.27.5. Please consider
backporting this to the 2.26 (or older) releases of libsoup in your
distros:
http://bugzilla.gnome.org/show_bug.cgi?id=589323
--
Bye, Patrick Ohly
--
Patrick Ohly gmx de
http://www.estamos.de/
[Date Prev][Date Next] [Thread Prev][Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
