Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1148889

Summary: gnutls_certificate_set_x509_trust_file() has no effect if gnutls_certificate_set_x509_system_trust() is called.
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: nmavrogi, robatino, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.3.9-1.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-01 17:01:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043129    
Attachments:
Description Flags
chain of valid certs for this server none

Description David Woodhouse 2014-10-02 15:14:32 UTC 
Created attachment 943418 [details]
chain of valid certs for this server

$ openconnect --cafile scsir-certchain.crt scsir.intel.com
POST https://scsir.intel.com/
Attempting to connect to server 213.190.153.55:443
SSL negotiation with scsir.intel.com
Server certificate verify failed: signer not found


If I hack openconnect's gnutls.c to eliminate the call to gnutls_certificate_set_x509_system_trust() so it's *only* using the user-provided certs, then it works fine. Note that in this case none of the relevant certs are actually *in* the system database. It looks like we just aren't *bothering* with the provided trust file.
Comment 1 Nikos Mavrogiannopoulos 2014-10-09 09:45:31 UTC 
The issue has been addressed upstream:

https://gitorious.org/gnutls/gnutls/commit/24c4991469509d7a57d8d61ab619a19a2034bdc7
Comment 2 Fedora Update System 2014-10-13 09:48:35 UTC 
gnutls-3.3.9-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/gnutls-3.3.9-1.fc21
Comment 3 Fedora Update System 2014-10-14 04:35:13 UTC 
Package gnutls-3.3.9-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.3.9-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12774/gnutls-3.3.9-1.fc21
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2014-11-01 17:01:09 UTC 
gnutls-3.3.9-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.