From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: gnutls 'name-constraints' test failure Date: Sun, 17 Jul 2016 15:25:46 +0200 Message-ID: <87shv84crp.fsf@gnu.org> References: <578A854F.30302@cock.li> <20160717073206.GA17182@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53603) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bOm4w-0002Fo-NU for guix-devel@gnu.org; Sun, 17 Jul 2016 09:25:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bOm4s-0000nd-F9 for guix-devel@gnu.org; Sun, 17 Jul 2016 09:25:53 -0400 In-Reply-To: <20160717073206.GA17182@jasmine> (Leo Famulari's message of "Sun, 17 Jul 2016 03:32:06 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > On Sat, Jul 16, 2016 at 09:04:47PM +0200, nee wrote: >> ./certtool: line 83: datefudge: command not found >>=20 >> You need datefudge to run this test >>=20 >> FAIL: name-constraints >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>=20 >> Loaded 3 certificates, 1 CAs and 0 CRLs >>=20 >> Subject: C=3DUS,O=3DFoo Bar Inc.,CN=3DFoo Bar Sub CA 1,OU=3DPublic Key = Infrastructure >> Issuer: C=3DUS,O=3DFoo Bar Inc.,CN=3DFoo Bar Root CA,OU=3DPublic Key In= frastructure >> Output: Not verified. The certificate is NOT trusted. The certificate i= ssuer is unknown.=20 >>=20 >> Subject: C=3DUS,O=3DFoo Bar Inc.,CN=3DFoo Bar Sub CA 1,OU=3DPublic Key = Infrastructure >> Issuer: C=3DUS,O=3DFoo Bar Inc.,CN=3DFoo Bar Root CA,OU=3DPublic Key In= frastructure >> Checked against: C=3DUS,O=3DFoo Bar Inc.,CN=3DFoo Bar Sub CA 1,OU=3DPub= lic Key Infrastructure >> Output: Verified. The certificate is trusted.=20 >>=20 >> Subject: C=3DUS,O=3DFoo Bar Inc.,CN=3Dbazz.foobar.com >> Issuer: C=3DUS,O=3DFoo Bar Inc.,CN=3DFoo Bar Sub CA 1,OU=3DPublic Key I= nfrastructure >> Checked against: C=3DUS,O=3DFoo Bar Inc.,CN=3DFoo Bar Sub CA 1,OU=3DPub= lic Key Infrastructure >> Output: Not verified. The certificate is NOT trusted. The certificate c= hain uses expired certificate.=20 >>=20 >> Chain verification output: Not verified. The certificate is NOT trusted.= The certificate chain uses expired certificate.=20 >>=20 >> name constraints test 1 failed > > The test certificates have expired. > > I think we need to apply this patch with a graft, from the gnutls_3_4_x > branch: > https://gitlab.com/gnutls/gnutls/commit/47f25d9e08d4e102572804a2aed186b01= db23c65 > > The effect is to skip the test, because we are missing the datefudge > program [0]. > > Or, we could package datefudge and add it to the gnutls recipe. Interesting failure mode. When Hydra is operational again, we can simply update GnuTLS, I think. In the meantime grafting is a good idea. Would you like to try that? Thanks for the analysis! Ludo=E2=80=99.