From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: gnutls 'name-constraints' test failure
Date: Sun, 17 Jul 2016 15:25:46 +0200 [thread overview]
Message-ID: <87shv84crp.fsf@gnu.org> (raw)
In-Reply-To: <20160717073206.GA17182@jasmine> (Leo Famulari's message of "Sun, 17 Jul 2016 03:32:06 -0400")
Leo Famulari <leo@famulari.name> skribis:
> On Sat, Jul 16, 2016 at 09:04:47PM +0200, nee wrote:
>> ./certtool: line 83: datefudge: command not found
>>
>> You need datefudge to run this test
>>
>> FAIL: name-constraints
>> ======================
>>
>> Loaded 3 certificates, 1 CAs and 0 CRLs
>>
>> Subject: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key Infrastructure
>> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Root CA,OU=Public Key Infrastructure
>> Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.
>>
>> Subject: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key Infrastructure
>> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Root CA,OU=Public Key Infrastructure
>> Checked against: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key Infrastructure
>> Output: Verified. The certificate is trusted.
>>
>> Subject: C=US,O=Foo Bar Inc.,CN=bazz.foobar.com
>> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key Infrastructure
>> Checked against: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key Infrastructure
>> Output: Not verified. The certificate is NOT trusted. The certificate chain uses expired certificate.
>>
>> Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain uses expired certificate.
>>
>> name constraints test 1 failed
>
> The test certificates have expired.
>
> I think we need to apply this patch with a graft, from the gnutls_3_4_x
> branch:
> https://gitlab.com/gnutls/gnutls/commit/47f25d9e08d4e102572804a2aed186b01db23c65
>
> The effect is to skip the test, because we are missing the datefudge
> program [0].
>
> Or, we could package datefudge and add it to the gnutls recipe.
Interesting failure mode.
When Hydra is operational again, we can simply update GnuTLS, I think.
In the meantime grafting is a good idea. Would you like to try that?
Thanks for the analysis!
Ludo’.
next prev parent reply other threads:[~2016-07-17 13:25 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-16 19:04 gnutls 'name-constraints' test failure nee
2016-07-17 7:32 ` Leo Famulari
2016-07-17 11:17 ` Andreas Enge
2016-07-17 13:25 ` Ludovic Courtès [this message]
2016-07-17 17:33 ` Leo Famulari
2016-07-18 12:14 ` Ludovic Courtès
2016-07-18 16:48 ` Leo Famulari
2016-07-18 17:15 ` Leo Famulari
2016-07-19 13:02 ` Ludovic Courtès
2016-07-19 17:05 ` Leo Famulari
2016-07-20 4:04 ` Leo Famulari
2016-07-20 10:07 ` Ludovic Courtès
2016-07-18 17:30 ` Efraim Flashner
2016-07-19 13:01 ` gd on i686 Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87shv84crp.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).