Giovanni,

Giovanni Biscuolo 写道：
> ...and sorry again to all other Guix users for the "noise": this 
> is not
> strictly related to Guix but just to the most recent version of
> curl/wget

Don't be.  It was a legitimate bug in a Guix package.  Thanks to 
Marius for the quick fix, by the way!

> I still I don't understand the differences between curl (and 
> wget)
> behaviour and the last Guix available ungoogled-chromium (see 
> below).

The expiration of the Sectigo root triggered a dormant bug in 
GnuTLS.  Users of other crypto libraries were unaffected.

> I guess that this information, client side, is the same for all 
> browsers
> and CLI interfaces (like curl) since long ago: right?

Yes.  Including GnuTLS.  It had the right data but drew the wrong 
conclusion from it.

> It seems that ungoogled-chromium stops the verification at the 
> level=1 certificate:

As your browser and SSLLabs knew, there *was* a valid chain (two, 
even) and GnuTLS should have returned success.  Instead it 
reported failure because there was *also* an invalid expired one.

At the risk of being flamed for oversimplifying: paranoid GnuTLS 
was using AND where it should have used OR.

Here's the actual bug report: 
<https://gitlab.com/gnutls/gnutls/-/issues/1008>.

(I think the server's still sending too many intermediates, but at 
least now all clients will correctly ignore them.  They'll just 
waste some bandwidth on every handshake.)

Kind regards,

T G-R