After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 784696 - TLS/SSL test failure due to certificate verication failure
TLS/SSL test failure due to certificate verication failure
Status: RESOLVED DUPLICATE of bug 784949
Product: libsoup
Classification: Core
Component: HTTP Transport
2.58.x
Other Windows
: Normal normal
: ---
Assigned To: libsoup-maint@gnome.bugs
libsoup-maint@gnome.bugs
Depends on:
Blocks:
 
 
Reported: 2017-07-08 14:37 UTC by Ludovic Courtès
Modified: 2017-07-14 17:56 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Ludovic Courtès 2017-07-08 14:37:25 UTC 
tests/ssl-test.c and other TLS-related tests fail with GnuTLS 3.5.12+:

ERROR:ssl-test.c:406:do_tls_interaction_test: Unexpected status 6 Unacceptable TLS certificate (expected 200 OK)

The reason is most likely this change in GnuTLS 3.5.12:

** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
   against DNS fields of certificate (CN or DNSname). The previous behavior
   was to tolerate some misconfigured servers, but that was non-standard
   and skipped any IP constraints present in higher level certificates.

To work around it, 'test-cert.pem' must be regenerated to include 'localhost' as its 'dnsName'.

I've tested this change in GNU Guix and it solves the problem.
Comment 1 Ludovic Courtès 2017-07-08 14:41:25 UTC 
Here's our fix, which shows how to produce the certificate with 'certtool':

  https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2deb146f6d2f38aa121c51b3141c33790a734be5
Comment 2 Dan Winship 2017-07-14 17:47:44 UTC 
*** Bug 784949 has been marked as a duplicate of this bug. ***
Comment 3 Dan Winship 2017-07-14 17:56:09 UTC 

*** This bug has been marked as a duplicate of bug 784949 ***