Ubuntu
gnutls28 package

  1. Bug #1714506
  2. Comment #5

Comment 5 for bug 1714506

Revision history for this message
Julian Andres Klode (juliank) wrote :

Verified on zesty, old version 3.5.6-4ubuntu4.2 failed handshake, 3.5.6-4ubuntu4.3 succeeded:

Script started on Thu 07 Sep 2017 00:45:28 CEST
+ apt-get -q update
[...]
+ apt-get -q -y install gnutls-bin ca-certificates
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  libffi6 libgmp10 libgnutls30 libhogweed4 libidn11 libnettle6 libopts25 libp11-kit0 libssl1.0.0 libtasn1-6 openssl
The following NEW packages will be installed:
  ca-certificates gnutls-bin libffi6 libgmp10 libgnutls30 libhogweed4 libidn11 libnettle6 libopts25 libp11-kit0 libssl1.0.0 libtasn1-6 openssl
0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 3326 kB of archives.
After this operation, 9762 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu zesty/main amd64 libffi6 amd64 3.2.1-6 [17.7 kB]
Get:2 http://archive.ubuntu.com/ubuntu zesty/main amd64 libgmp10 amd64 2:6.1.2+dfsg-1 [240 kB]
Get:3 http://archive.ubuntu.com/ubuntu zesty/main amd64 libnettle6 amd64 3.3-1 [92.4 kB]
Get:4 http://archive.ubuntu.com/ubuntu zesty/main amd64 libhogweed4 amd64 3.3-1 [135 kB]
Get:5 http://archive.ubuntu.com/ubuntu zesty/main amd64 libidn11 amd64 1.33-1 [45.0 kB]
Get:6 http://archive.ubuntu.com/ubuntu zesty/main amd64 libp11-kit0 amd64 0.23.3-5 [107 kB]
Get:7 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libtasn1-6 amd64 4.10-1ubuntu0.1 [35.5 kB]
Get:8 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libgnutls30 amd64 3.5.6-4ubuntu4.2 [627 kB]
Get:9 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libssl1.0.0 amd64 1.0.2g-1ubuntu11.2 [1081 kB]
Get:10 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 openssl amd64 1.0.2g-1ubuntu11.2 [491 kB]
Get:11 http://archive.ubuntu.com/ubuntu zesty/main amd64 ca-certificates all 20161130 [193 kB]
Get:12 http://archive.ubuntu.com/ubuntu zesty/main amd64 libopts25 amd64 1:5.18.12-3 [57.0 kB]
Get:13 http://archive.ubuntu.com/ubuntu zesty-updates/universe amd64 gnutls-bin amd64 3.5.6-4ubuntu4.2 [204 kB]
Fetched 3326 kB in 2s (1539 kB/s)
[...]
+ gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net
Processed 173 CA certificate(s).
Resolving 'tvemsnbc-vh.akamaihd.net:443'...
Connecting to '95.101.77.25:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=a248.e.akamai.net,O=Akamai Technologies\, Inc.,L=Cambridge,ST=Massachusetts,C=US', issuer `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', serial 0x0f683f2dfac9edf014148ca649db4bad, EC/ECDSA key 256 bits, signed using ECDSA-SHA256, activated `2017-03-07 00:00:00 UTC', expires `2018-05-06 23:59:59 UTC', SHA-1 fingerprint `557c90a8d8953f3a2c2b59290a5ce12eafa60adf'
 Public Key ID:
  8c08394d28e104af81d099d4d236eef424710a29
 Public key's random art:
  +--[SECP256R1]----+
  |==.B. |
  |E.O+* . |
  |o+==.= |
  | o o=..o |
  |. o.+. S |
  | . . |
  | |
  | |
  | |
  +-----------------+

- Certificate[1] info:
 - subject `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', issuer `CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US', serial 0x3f9287be9d1da4a37a9df6282e775ac4, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2015-05-12 00:00:00 UTC', expires `2025-05-11 23:59:59 UTC', SHA-1 fingerprint `fe3c41901f3659c6eddc0c1c2d85d0b20e649614'
- Status: The certificate is NOT trusted. The received OCSP status response is invalid.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
+ echo 'deb http://archive.ubuntu.com/ubuntu/ zesty-proposed main'
+ apt-get -q update
[...]
+ apt-get -q -y install libgnutls30/zesty-proposed
Reading package lists...
Building dependency tree...
Reading state information...
The following packages will be upgraded:
  libgnutls30
1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 627 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 libgnutls30 amd64 3.5.6-4ubuntu4.3 [627 kB]
Fetched 627 kB in 0s (1171 kB/s)
[...]
+ gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net
Processed 173 CA certificate(s).
Resolving 'tvemsnbc-vh.akamaihd.net:443'...
Connecting to '95.101.77.34:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=a248.e.akamai.net,O=Akamai Technologies\, Inc.,L=Cambridge,ST=Massachusetts,C=US', issuer `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', serial 0x0f683f2dfac9edf014148ca649db4bad, EC/ECDSA key 256 bits, signed using ECDSA-SHA256, activated `2017-03-07 00:00:00 UTC', expires `2018-05-06 23:59:59 UTC', SHA-1 fingerprint `557c90a8d8953f3a2c2b59290a5ce12eafa60adf'
 Public Key ID:
  8c08394d28e104af81d099d4d236eef424710a29
 Public key's random art:
  +--[SECP256R1]----+
  |==.B. |
  |E.O+* . |
  |o+==.= |
  | o o=..o |
  |. o.+. S |
  | . . |
  | |
  | |
  | |
  +-----------------+

- Certificate[1] info:
 - subject `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', issuer `CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US', serial 0x3f9287be9d1da4a37a9df6282e775ac4, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2015-05-12 00:00:00 UTC', expires `2025-05-11 23:59:59 UTC', SHA-1 fingerprint `fe3c41901f3659c6eddc0c1c2d85d0b20e649614'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
- Session ID: 2C:8E:64:DB:85:A0:AC:38:E7:B7:F0:98:0B:3B:1D:73:F2:C4:6D:95:E6:A9:1E:9D:99:4D:53:2A:45:6F:A6:7F
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-ECDSA
- Server Signature: ECDSA-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: OCSP status request,
- Handshake was completed

- Simple Client Mode:

^C
Script done on Thu 07 Sep 2017 00:46:05 CEST