[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls 'name-constraints' test failure
From: |
Ludovic Courtès |
Subject: |
Re: gnutls 'name-constraints' test failure |
Date: |
Sun, 17 Jul 2016 15:25:46 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> On Sat, Jul 16, 2016 at 09:04:47PM +0200, nee wrote:
>> ./certtool: line 83: datefudge: command not found
>>
>> You need datefudge to run this test
>>
>> FAIL: name-constraints
>> ======================
>>
>> Loaded 3 certificates, 1 CAs and 0 CRLs
>>
>> Subject: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key
>> Infrastructure
>> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Root CA,OU=Public Key
>> Infrastructure
>> Output: Not verified. The certificate is NOT trusted. The certificate
>> issuer is unknown.
>>
>> Subject: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key
>> Infrastructure
>> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Root CA,OU=Public Key
>> Infrastructure
>> Checked against: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key
>> Infrastructure
>> Output: Verified. The certificate is trusted.
>>
>> Subject: C=US,O=Foo Bar Inc.,CN=bazz.foobar.com
>> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key
>> Infrastructure
>> Checked against: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key
>> Infrastructure
>> Output: Not verified. The certificate is NOT trusted. The certificate
>> chain uses expired certificate.
>>
>> Chain verification output: Not verified. The certificate is NOT trusted. The
>> certificate chain uses expired certificate.
>>
>> name constraints test 1 failed
>
> The test certificates have expired.
>
> I think we need to apply this patch with a graft, from the gnutls_3_4_x
> branch:
> https://gitlab.com/gnutls/gnutls/commit/47f25d9e08d4e102572804a2aed186b01db23c65
>
> The effect is to skip the test, because we are missing the datefudge
> program [0].
>
> Or, we could package datefudge and add it to the gnutls recipe.
Interesting failure mode.
When Hydra is operational again, we can simply update GnuTLS, I think.
In the meantime grafting is a good idea. Would you like to try that?
Thanks for the analysis!
Ludo’.
- gnutls 'name-constraints' test failure, nee, 2016/07/16
- Re: gnutls 'name-constraints' test failure, Leo Famulari, 2016/07/17
- Re: gnutls 'name-constraints' test failure, Andreas Enge, 2016/07/17
- Re: gnutls 'name-constraints' test failure,
Ludovic Courtès <=
- Re: gnutls 'name-constraints' test failure, Leo Famulari, 2016/07/17
- Re: gnutls 'name-constraints' test failure, Ludovic Courtès, 2016/07/18
- Re: gnutls 'name-constraints' test failure, Leo Famulari, 2016/07/18
- Re: gnutls 'name-constraints' test failure, Leo Famulari, 2016/07/18
- Re: gnutls 'name-constraints' test failure, Ludovic Courtès, 2016/07/19
- Re: gnutls 'name-constraints' test failure, Leo Famulari, 2016/07/19
- Re: gnutls 'name-constraints' test failure, Leo Famulari, 2016/07/20
- Re: gnutls 'name-constraints' test failure, Ludovic Courtès, 2016/07/20
- Re: gnutls 'name-constraints' test failure, Efraim Flashner, 2016/07/18
- gd on i686, Ludovic Courtès, 2016/07/19