since upgrade to this app-misc/ca-certificates-20111025 i got almost errors by syncing my live euild: Reproducible: Always Actual Results: svn: E175002: Unable to connect to a repository at URL 'https://svn.blender.org/svnroot/bf-blender/trunk/blender' svn: E175002: OPTIONS of 'https://svn.blender.org/svnroot/bf-blender/trunk/blender': Certificate verification error: signed using insecure algorithm (https://svn.blender.org) * ERROR: media-gfx/blender-9999 failed (unpack phase): * subversion: can't fetch to /usr/portage/distfiles/svn-src/blender/blender from https://svn.blender.org/svnroot/bf-blender/trunk/blender. * Expected Results: it would be nice if the CA will be work :) Portage 2.2.0_alpha79_p27 (default/linux/amd64/10.0/desktop, gcc-4.5.3, glibc-2.14.1-r1, 3.1.4-gentoo x86_64) ================================================================= System uname: Linux-3.1.4-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P9700_@_2.80GHz-with-gentoo-2.1 Timestamp of tree: Wed, 07 Dec 2011 08:30:01 +0000 app-shells/bash: 4.2_p20 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2-r3, 3.1.4-r3, 3.2.2 dev-util/cmake: 2.8.6-r4 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1 sys-apps/openrc: 9999 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1-r1 sys-devel/binutils: 2.22 sys-devel/gcc: 4.5.3-r1 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 2.6.39 (virtual/os-headers) sys-libs/glibc: 2.14.1-r1 Repositories: gentoo lxde mpd qting-edge science wirelay scarabeus Techwolf poly-c luman gnome nikai emacs java-overlay mgorny lokal Installed sets: ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.UTF-8" LC_ALL="" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de en vi" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage"
Workaround in 3 stages: 1) Configure subversion for both a working account and the portage sandbox not to trust CAs: cd ~/.subversion/servers; patch <~/svn-src.patch cd /usr/portage/distfiles/svn-src/.subversion/servers; patch <~/svn-src.patch with the patch at the end of this comment. 2) In your working account get yourself a manually trusted certificate of the server. "svn checkout" or "svn update" from the blender server and answer the question after "Error validating server certificate" with (p)ermanent. 3) Copy the certificate from your account into the sandbox. (You exact filename might differ) cp -vp ~/.subversion/auth/svn.ssl.server/20968a2cc3e04240437b2bc1d81787e1 \ /usr/portage/distfiles/svn-src/.subversion/auth/svn.ssl.server/ Patch: --- /usr/portage/distfiles/svn-src/.subversion/servers 2011-04-07 23:48:42.084965376 +0200 +++ /root/.subversion/servers 2011-12-03 23:02:51.528713992 +0100 @@ -98,10 +98,14 @@ [groups] # group1 = *.collab.net # othergroup = repository.blarggitywhoomph.com # thirdgroup = *.example.com +blender = *.blender.org + +[blender] +ssl-trust-default-ca = no ### Information for the first group: # [group1] # http-proxy-host = proxy1.some-domain-name.com # http-proxy-port = 80
i can't reproduce this over here # etc-update <enter -5> # qlist -I -v ca-cert app-misc/ca-certificates-20111025 # rm -rf ~/.subversion/ # svn ls https://svn.blender.org/svnroot/bf-blender/trunk/blender CMakeLists.txt COPYING GNUmakefile SConstruct build_files/ doc/ extern/ intern/ release/ scons/ source/ # update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. # svn ls https://svn.blender.org/svnroot/bf-blender/trunk/blender CMakeLists.txt COPYING GNUmakefile SConstruct build_files/ doc/ extern/ intern/ release/ scons/ source/
I've reproduced the problem here. Here's the output w/ neon-debug-mask = 511 $ svn ls https://svn.blender.org/svnroot/bf-blender/trunk/blender ah_create, for WWW-Authenticate Running pre_send hooks compress: Initialization. compress: Initialization. Sending request headers: OPTIONS /svnroot/bf-blender/trunk/blender HTTP/1.1 User-Agent: SVN/1.7.1 neon/0.29.6 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Host: svn.blender.org Content-Type: text/xml Accept-Encoding: gzip DAV: http://subversion.tigris.org/xmlns/dav/svn/depth DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops Content-Length: 104 Accept-Encoding: gzip Sending request-line and headers: Doing DNS lookup on svn.blender.org... req: Connecting to 82.94.213.217:443 Negotiating SSL connection. ssl: Got 2 certs in peer chain. ssl: Match common name 'svn.blender.org' against '' ssl: Match common name 'CAcert Class 3 Root' against '' ssl: Match common name 'CA Cert Signing Authority' against '' ssl: Match common name 'CA Cert Signing Authority' against '' ssl: Match common name 'svn.blender.org' against 'svn.blender.org' ssl: Identity match for 'svn.blender.org': good ssl: Verify peers returned 0, status=258 ssl: Verification failures = 0 (status = 258). sess: Closing connection. sess: Connection closed. Request ends, status 0 class 0xx, error line: Certificate verification error: signed using insecure algorithm Running destroy hooks. Request ends. svn: E175002: Unable to connect to a repository at URL 'https://svn.blender.org/svnroot/bf-blender/trunk/blender' svn: E175002: OPTIONS of 'https://svn.blender.org/svnroot/bf-blender/trunk/blender': Certificate verification error: signed using insecure algorithm (https://svn.blender.org) sess: Destroying session. sess: Destroying session.
The problem here is that CACert reissued their class 3 certificate, and svn.blender.org is only signed by the old class3, which is no longer in ca-certificates. Unpack both ca-certificates-20111025 and ca-certificates-20110502-r4. copy ${S}/work/usr/share/ca-certificates/cacert.org/cacert.org.crt to /tmp/cacert-old.crt and /tmp/cacert-new.crt respectively. $ gnutls-cli --x509cafile /tmp/cacert-new.pem -VV --debug 2 -p 443 svn.blender.org Processed 2 CA certificate(s). Resolving 'svn.blender.org'... Connecting to '82.94.213.217:443'... |<2>| EXT[0xbdcc40]: Sending extension CERT_TYPE |<2>| EXT[0xbdcc40]: Sending extension SERVER_NAME |<2>| EXT[0xbdcc40]: Sending extension SAFE_RENEGOTIATION |<2>| EXT[0xbdcc40]: Sending extension SESSION_TICKET |<2>| EXT[0xbdcc40]: Sending extension SIGNATURE_ALGORITHMS |<2>| EXT[0xbdcc40]: Found extension 'SERVER_NAME/0' |<2>| EXT[0xbdcc40]: Found extension 'SESSION_TICKET/35' |<2>| ASSERT: dn.c:1211 |<2>| ASSERT: mpi.c:606 |<2>| ASSERT: dn.c:1211 |<2>| ASSERT: verify.c:526 *** Verifying server certificate failed... |<2>| ASSERT: gnutls_kx.c:736 |<2>| ASSERT: gnutls_handshake.c:2804 *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. $ gnutls-cli --x509cafile /tmp/cacert-old.pem -VV --debug 2 -p 443 svn.blender.org Processed 2 CA certificate(s). Resolving 'svn.blender.org'... Connecting to '82.94.213.217:443'... |<2>| EXT[0x894c40]: Sending extension CERT_TYPE |<2>| EXT[0x894c40]: Sending extension SERVER_NAME |<2>| EXT[0x894c40]: Sending extension SAFE_RENEGOTIATION |<2>| EXT[0x894c40]: Sending extension SESSION_TICKET |<2>| EXT[0x894c40]: Sending extension SIGNATURE_ALGORITHMS |<2>| EXT[0x894c40]: Found extension 'SERVER_NAME/0' |<2>| EXT[0x894c40]: Found extension 'SESSION_TICKET/35' |<2>| ASSERT: dn.c:1211 |<2>| ASSERT: mpi.c:606 |<2>| ASSERT: dn.c:1211 |<2>| ASSERT: gnutls_handshake.c:1334 |<2>| ASSERT: ext_server_name.c:263 - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1021 bits - Peer's public key: 1024 bits - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: |<2>| ASSERT: dn.c:304 |<2>| ASSERT: dn.c:304 |<2>| ASSERT: mpi.c:606 |<2>| ASSERT: x509.c:2777 |<2>| ASSERT: x509.c:2777 |<2>| ASSERT: x509.c:2777 |<2>| ASSERT: x509.c:2777 - X.509 Certificate Information: Version: 3 Serial Number (hex): 085477 Issuer: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org Validity: Not Before: Tue Mar 09 10:56:03 UTC 2010 Not After: Thu Mar 08 10:56:03 UTC 2012 Subject: CN=svn.blender.org Subject Public Key Algorithm: RSA Modulus (bits 1024): ae:e5:5d:33:1a:67:b6:14:a9:52:07:d9:d0:a7:3d:ae d5:b0:97:2c:46:b2:9f:b6:ee:8e:9f:40:cb:2d:5a:5b 98:b8:c6:d1:0c:25:df:0e:a4:21:46:b1:28:f6:7a:7d 8b:7a:ad:ff:a9:5b:43:68:05:df:24:3a:0b:23:b7:54 c2:45:95:f5:78:f9:7d:7a:dc:16:8a:f9:e3:7d:d5:48 fd:5f:2f:7a:2c:0c:2b:04:43:1f:1e:95:95:b4:2f:91 55:4a:f2:29:20:f3:6f:a0:78:48:dd:40:6b:94:10:fa 43:7a:6c:cd:13:3a:f8:0f:12:58:7a:6a:58:4c:8e:0d Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Client. TLS WWW Server. 2.16.840.1.113730.4.1 1.3.6.1.4.1.311.10.3.3 Key Usage (not critical): Digital signature. Key encipherment. Unknown extension 1.3.6.1.5.5.7.1.1 (not critical): ASCII: 0%0#..+.....0...http://ocsp.cacert.org/ Hexdump: 3025302306082b060105050730018617687474703a2f2f6f6373702e6361636572742e6f72672f Signature Algorithm: RSA-SHA1 Signature: ad:a1:a4:0b:9a:3a:76:3c:99:7a:7a:aa:3c:e0:3b:9b 76:11:ee:e0:ba:94:be:53:e1:d6:c8:f0:1e:37:f4:55 50:f0:d8:dd:a8:7c:f7:c2:3f:3d:85:7a:3d:ba:70:d2 64:a6:c2:a9:0e:1d:63:7e:f6:83:8f:c8:0a:0c:bb:31 91:95:1e:d7:8d:4a:3d:cd:64:e3:e4:48:9a:49:4d:07 09:a4:64:06:ff:4e:3d:f1:5c:bf:5d:db:f2:a4:34:f7 09:49:e7:27:83:92:b1:d7:b6:18:f2:79:d1:2c:30:8f 64:0b:16:74:8f:81:92:d9:e4:5f:7d:91:c7:26:88:a4 03:03:c7:f9:06:b6:e3:fc:e8:70:1b:ba:03:38:07:c7 a0:a2:d9:1e:79:ea:d1:da:80:68:48:33:bf:0c:ab:d7 19:bd:6a:bb:d1:73:9a:d3:59:8d:ba:c6:f8:dc:03:23 81:21:a1:75:91:d0:57:cc:6f:64:3b:e2:62:07:ee:13 d3:18:37:80:cf:f8:60:73:7f:4c:1d:94:22:b5:0d:2f 5c:a5:3f:a6:2e:bc:8d:18:ff:7c:34:42:16:f0:ce:91 ad:21:c7:15:92:89:68:e0:98:d3:d4:dd:06:29:b3:66 16:3d:e1:cb:96:f8:68:f1:eb:64:18:87:08:a8:3c:8c 4a:b9:d2:38:1e:db:49:2e:4f:9b:cd:64:4c:90:78:fe c8:fc:d7:1d:7a:04:d3:a4:04:50:b6:c3:ee:f6:6b:9e 19:5a:ad:41:b4:8f:e8:24:4b:28:a2:04:4b:8e:bf:24 3d:83:d6:fb:f3:88:05:9d:0d:77:6d:36:bf:b2:67:5a 34:aa:58:b2:c2:74:8e:ed:d3:b1:aa:72:0f:d4:b9:81 b1:83:bd:3b:aa:7c:ce:36:bc:14:a6:dc:3c:0e:1c:a5 95:4d:63:e5:1a:c7:4e:f3:49:9b:a7:cc:18:9a:e5:1a 29:57:95:32:f2:85:7b:85:cb:dc:73:f3:2f:7b:ef:b5 8e:5b:7f:17:ca:68:1a:c2:47:91:b5:07:4e:36:19:eb ad:8a:75:55:52:0b:98:78:f1:f7:c5:65:2b:04:08:2c f0:5d:dd:ac:39:03:2e:74:82:5f:05:a2:af:ce:cc:cd 77:4e:0c:cb:f2:9d:b0:18:07:e2:07:f2:45:52:5e:d8 1c:cc:4f:3a:73:9a:a7:1b:46:3b:60:f2:73:32:dc:cf 8a:f5:c8:93:75:b5:77:f5:9e:c8:d6:b4:6d:43:9d:07 31:c5:df:74:fa:02:09:5c:ad:57:1b:b6:f4:e2:a9:5d 50:65:99:b4:1b:24:b4:b0:43:46:9b:38:86:3c:77:a4 Other Information: MD5 fingerprint: b95d6cf26bec5bc2c3fe5e42e71b6756 SHA-1 fingerprint: a0e76a504655eed510d9b8595f30031d4624d0a3 Public Key Id: fe4de7d6efeaf4c845900989c7054e53f5c18bc0 - Certificate[1] info: |<2>| ASSERT: dn.c:304 |<2>| ASSERT: dn.c:304 |<2>| ASSERT: mpi.c:606 - X.509 Certificate Information: Version: 3 Serial Number (hex): 01 Issuer: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org Validity: Not Before: Fri Oct 14 07:36:55 UTC 2005 Not After: Mon Mar 28 07:36:55 UTC 2033 Subject: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root Subject Public Key Algorithm: RSA Modulus (bits 4096): ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:dd:28 d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:89:7d:e1 fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:24:99:73:da e2:55:76:c7:17:7b:f5:04:ac:46:b8:c3:be:7f:64:8d 10:6c:24:f3:61:9c:c0:f2:90:fa:51:e6:f5:69:01:63 c3:0f:56:e2:4a:42:cf:e2:44:8c:25:28:a8:c5:79:09 7d:46:b9:8a:f3:e9:f3:34:29:08:45:e4:1c:9f:cb:94 04:1c:81:a8:14:b3:98:65:c4:43:ec:4e:82:8d:09:d1 bd:aa:5b:8d:92:d0:ec:de:90:c5:7f:0a:c2:e3:eb:e6 31:5a:5e:74:3e:97:33:59:e8:c3:03:3d:60:33:bf:f7 d1:6f:47:c4:cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15 18:91:a6:85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a 68:72:35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92 7e:4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e 0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:2b eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:27:22 10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:5d:aa:48 d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:cc:0e:42:5b 8c:ed:db:f2:cf:fc:96:93:e0:db:11:36:54:62:34:38 8f:0c:60:9b:3b:97:56:38:ad:f3:d2:5b:8b:a0:5b:ea 4e:96:b8:7c:d7:d5:a0:86:70:40:d3:91:29:b7:a2:3c ad:f5:8c:bb:cf:1a:92:8a:e4:34:7b:c0:d8:6c:5f:e9 0a:c2:c3:a7:20:9a:5a:df:2c:5d:52:5c:ba:47:d5:9b ef:24:28:70:38:20:2f:d5:7f:29:c0:b2:41:03:68:92 cc:e0:9c:cc:97:4b:45:ef:3a:10:0a:ab:70:3a:98:95 70:ad:35:b1:ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a 80:26:48:00:b8:01:c0:93:63:55:22:91:3c:56:e7:af db:3a:25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53 11:c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91 99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:8c 10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:74:1e 8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:05:fb:e9 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Unknown extension 1.3.6.1.5.5.7.1.1 (not critical): ASCII: 0O0#..+.....0...http://ocsp.CAcert.org/0(..+.....0...http://www.CAcert.org/ca.crt Hexdump: 304f302306082b060105050730018617687474703a2f2f6f6373702e4341636572742e6f72672f302806082b06010505073002861c687474703a2f2f7777772e4341636572742e6f72672f63612e637274 Unknown extension 2.5.29.32 (not critical): ASCII: 0A0?..+......J0301..+........%http://www.CAcert.org/index.php?id=10 Hexdump: 3041303f06082b0601040181904a3033303106082b060105050702011625687474703a2f2f7777772e4341636572742e6f72672f696e6465782e7068703f69643d3130 Signature Algorithm: RSA-MD5 warning: signed using a broken signature algorithm that can be forged. Signature: 7f:08:88:a1:da:1a:50:49:da:89:fb:a1:08:72:f3:8a f7:1e:c4:3a:b4:79:5b:20:30:b1:45:de:c2:5d:d3:65 69:f1:c2:5d:54:54:3c:85:5f:b9:7b:42:91:c2:99:fd 1b:51:9b:ab:46:a5:a1:10:53:9e:6d:88:ac:73:6e:2c 33:a6:f0:f4:9e:e0:75:c1:3e:88:45:a9:e1:66:43:fe 56:5a:d1:7a:41:78:f7:40:da:4a:3a:f1:0b:5b:a5:bb 16:06:e6:c2:e7:93:b9:85:4d:97:4f:b1:1e:38:43:80 ef:9b:0d:8c:ef:b8:a7:60:00:87:57:7d:1e:44:1c:cb 23:ef:9b:3c:99:9d:af:b5:29:1c:45:79:16:96:4d:27 6d:f1:1c:6c:c3:c2:55:64:b3:bc:14:e2:f3:a4:1f:1e 32:fc:27:15:05:cf:dd:2e:ae:3e:82:61:7b:f0:21:10 18:f6:44:ea:53:39:f9:dc:d0:9a:20:e0:c6:bb:e0:bb 5a:4f:c4:99:c8:07:bd:b5:bd:a2:db:2e:62:0d:42:34 41:bc:ff:8b:8a:f5:51:22:aa:88:30:00:e2:b0:d4:bc be:65:ba:d5:03:57:79:9b:e8:dc:c8:4d:f8:50:ed:91 a5:52:28:a2:ac:fb:36:58:3e:e9:94:2b:91:50:87:1b d6:5e:d6:8c:cc:f7:0f:10:0c:52:4e:d0:16:61:e5:e5 0a:6c:bf:17:c7:72:46:57:9c:98:f5:6c:60:63:7a:6f 5e:b9:4e:2f:c8:b9:b9:bb:6a:85:bc:98:0d:ed:f9:3e 97:84:34:94:ae:00:af:a1:e5:e7:92:6e:4e:bd:f3:e2 d9:14:8b:5c:d2:eb:01:6c:a0:17:a5:2d:10:eb:9c:7a 4a:bd:bd:ee:ce:fd:ed:22:40:ab:70:38:88:f5:0a:87 6a:c2:ab:05:60:c9:48:05:da:53:c1:de:44:77:6a:b3 f3:3c:3c:ed:80:bc:a6:38:4a:29:24:5f:fe:59:3b:9b 25:7a:56:63:00:64:b9:5d:a4:62:7d:57:36:4f:ad:83 ef:1f:92:53:a0:8e:77:57:dd:e5:61:11:3d:23:00:90 4c:3c:fa:a3:60:93:04:a3:af:35:f6:0e:6a:8f:4f:4a 60:a7:85:05:6c:46:a1:8f:f4:c7:76:e3:a1:59:57:f7 71:b2:c4:6e:14:5c:6d:6d:41:66:df:1b:93:b1:d4:00 c3:ee:cb:cf:3c:3d:21:80:a9:5f:63:65:fc:dd:e0:5f a4:f4:2b:f0:85:71:41:d4:67:25:fb:1a:b1:97:ae:d6 99:82:13:41:d2:6e:a5:1b:99:27:80:e7:0b:a9:a8:00 Other Information: MD5 fingerprint: 733f35541d44c9e95a4aef51ad0306b6 SHA-1 fingerprint: db4c4269073fe9c2a37d890a5c1b18c4184e2a2d Public Key Id: 75a871604c8813f078d98977b56dc589dfbcb17a - The hostname in the certificate matches 'svn.blender.org'. |<2>| ASSERT: dn.c:1211 |<2>| ASSERT: mpi.c:606 |<2>| ASSERT: dn.c:1211 - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Session ID: 66:43:C7:29:D2:E5:88:A2:A1:B1:6E:1C:E4:8B:6E:FD:A0:58:F7:7E:22:E2:09:30:52:FF:63:E1:66:AB:B3:2F - Handshake was completed - Simple Client Mode:
Your workaround is really bad. This needs to be resolved either by Blender regenerating thier cert (it's about 30 seconds of work, I've done it for a lot of Gentoo services already), or upstream ca-certificates reversing their decision that the old cacert class3 is no longer trustworthy. As an interesting comparision, while gnutls distrusts the chain due to the old/new mismatch, OpenSSL gets it right and trusts regardless of which old/new CA is passed, becaused the root that signs the class3 has stayed the same. $ openssl s_client -connect 82.94.213.217:443 -CAfile $file -verify 5 (pass /dev/null to force fail or the previous files from /tmp/ to pass)