Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 393485 - app-misc/ca-certificates-20111025 breaks svn, git
Summary: app-misc/ca-certificates-20111025 breaks svn, git
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL: https://wiki.cacert.org/FAQ/Class3Resign
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-07 09:07 UTC by tman
Modified: 2011-12-08 08:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description tman 2011-12-07 09:07:37 UTC 
since upgrade to this app-misc/ca-certificates-20111025 i got almost errors by syncing my live euild:



Reproducible: Always

Actual Results:  
svn: E175002: Unable to connect to a repository at URL
'https://svn.blender.org/svnroot/bf-blender/trunk/blender'
svn: E175002: OPTIONS of
'https://svn.blender.org/svnroot/bf-blender/trunk/blender': Certificate
verification error: signed using insecure algorithm (https://svn.blender.org)
 * ERROR: media-gfx/blender-9999 failed (unpack phase):
 *   subversion: can't fetch to /usr/portage/distfiles/svn-src/blender/blender
from https://svn.blender.org/svnroot/bf-blender/trunk/blender.
 * 

Expected Results:  
it would be nice if the CA will be work :)

Portage 2.2.0_alpha79_p27 (default/linux/amd64/10.0/desktop, gcc-4.5.3, glibc-2.14.1-r1, 3.1.4-gentoo x86_64)
=================================================================
System uname: Linux-3.1.4-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P9700_@_2.80GHz-with-gentoo-2.1
Timestamp of tree: Wed, 07 Dec 2011 08:30:01 +0000
app-shells/bash:          4.2_p20
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.2-r3, 3.1.4-r3, 3.2.2
dev-util/cmake:           2.8.6-r4
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.1
sys-apps/openrc:          9999
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1-r1
sys-devel/binutils:       2.22
sys-devel/gcc:            4.5.3-r1
sys-devel/gcc-config:     1.5-r2
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)
sys-libs/glibc:           2.14.1-r1
Repositories: gentoo lxde mpd qting-edge science wirelay scarabeus Techwolf poly-c luman gnome nikai emacs java-overlay mgorny lokal
Installed sets: 
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=core2 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_DE.UTF-8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="de en vi"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
Comment 1 Roland Hautz 2011-12-07 18:18:49 UTC 
Workaround in 3 stages:

1)
Configure subversion for both a working account and the portage sandbox not to trust CAs:

cd ~/.subversion/servers; patch <~/svn-src.patch
cd /usr/portage/distfiles/svn-src/.subversion/servers; patch <~/svn-src.patch

with the patch at the end of this comment.

2)
In your working account get yourself a manually trusted certificate of the server. "svn checkout" or "svn update" from the blender server and answer the question after "Error validating server certificate" with (p)ermanent.

3)
Copy the certificate from your account into the sandbox. (You exact filename might differ)

cp -vp ~/.subversion/auth/svn.ssl.server/20968a2cc3e04240437b2bc1d81787e1 \ /usr/portage/distfiles/svn-src/.subversion/auth/svn.ssl.server/



Patch:

--- /usr/portage/distfiles/svn-src/.subversion/servers  2011-04-07 23:48:42.084965376 +0200
+++ /root/.subversion/servers   2011-12-03 23:02:51.528713992 +0100
@@ -98,10 +98,14 @@
 
 [groups]
 # group1 = *.collab.net
 # othergroup = repository.blarggitywhoomph.com
 # thirdgroup = *.example.com
+blender = *.blender.org
+
+[blender]
+ssl-trust-default-ca = no
 
 ### Information for the first group:
 # [group1]
 # http-proxy-host = proxy1.some-domain-name.com
 # http-proxy-port = 80
Comment 2 SpanKY gentoo-dev 2011-12-08 00:19:26 UTC 
i can't reproduce this over here

# etc-update
<enter -5>

# qlist -I -v ca-cert
app-misc/ca-certificates-20111025

# rm -rf ~/.subversion/

# svn ls https://svn.blender.org/svnroot/bf-blender/trunk/blender
CMakeLists.txt
COPYING
GNUmakefile
SConstruct
build_files/
doc/
extern/
intern/
release/
scons/
source/

# update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

# svn ls https://svn.blender.org/svnroot/bf-blender/trunk/blender
CMakeLists.txt
COPYING
GNUmakefile
SConstruct
build_files/
doc/
extern/
intern/
release/
scons/
source/
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-12-08 07:53:02 UTC 
I've reproduced the problem here.

Here's the output w/ 
neon-debug-mask = 511

$ svn  ls https://svn.blender.org/svnroot/bf-blender/trunk/blender
ah_create, for WWW-Authenticate
Running pre_send hooks
compress: Initialization.
compress: Initialization.
Sending request headers:
OPTIONS /svnroot/bf-blender/trunk/blender HTTP/1.1
User-Agent: SVN/1.7.1 neon/0.29.6
Keep-Alive: 
Connection: TE, Keep-Alive
TE: trailers
Host: svn.blender.org
Content-Type: text/xml
Accept-Encoding: gzip
DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
Content-Length: 104
Accept-Encoding: gzip

Sending request-line and headers:
Doing DNS lookup on svn.blender.org...
req: Connecting to 82.94.213.217:443
Negotiating SSL connection.
ssl: Got 2 certs in peer chain.
ssl: Match common name 'svn.blender.org' against ''
ssl: Match common name 'CAcert Class 3 Root' against ''
ssl: Match common name 'CA Cert Signing Authority' against ''
ssl: Match common name 'CA Cert Signing Authority' against ''
ssl: Match common name 'svn.blender.org' against 'svn.blender.org'
ssl: Identity match for 'svn.blender.org': good
ssl: Verify peers returned 0, status=258
ssl: Verification failures = 0 (status = 258).
sess: Closing connection.
sess: Connection closed.
Request ends, status 0 class 0xx, error line:
Certificate verification error: signed using insecure algorithm
Running destroy hooks.
Request ends.
svn: E175002: Unable to connect to a repository at URL 'https://svn.blender.org/svnroot/bf-blender/trunk/blender'
svn: E175002: OPTIONS of 'https://svn.blender.org/svnroot/bf-blender/trunk/blender': Certificate verification error: signed using insecure algorithm (https://svn.blender.org)
sess: Destroying session.
sess: Destroying session.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-12-08 08:07:19 UTC 
The problem here is that CACert reissued their class 3 certificate, and svn.blender.org is only signed by the old class3, which is no longer in ca-certificates.

Unpack both ca-certificates-20111025 and ca-certificates-20110502-r4.
copy ${S}/work/usr/share/ca-certificates/cacert.org/cacert.org.crt to /tmp/cacert-old.crt and /tmp/cacert-new.crt respectively.

$ gnutls-cli --x509cafile /tmp/cacert-new.pem -VV  --debug 2 -p 443 svn.blender.org 
Processed 2 CA certificate(s).
Resolving 'svn.blender.org'...
Connecting to '82.94.213.217:443'...
|<2>| EXT[0xbdcc40]: Sending extension CERT_TYPE
|<2>| EXT[0xbdcc40]: Sending extension SERVER_NAME
|<2>| EXT[0xbdcc40]: Sending extension SAFE_RENEGOTIATION
|<2>| EXT[0xbdcc40]: Sending extension SESSION_TICKET
|<2>| EXT[0xbdcc40]: Sending extension SIGNATURE_ALGORITHMS
|<2>| EXT[0xbdcc40]: Found extension 'SERVER_NAME/0'
|<2>| EXT[0xbdcc40]: Found extension 'SESSION_TICKET/35'
|<2>| ASSERT: dn.c:1211
|<2>| ASSERT: mpi.c:606
|<2>| ASSERT: dn.c:1211
|<2>| ASSERT: verify.c:526
*** Verifying server certificate failed...
|<2>| ASSERT: gnutls_kx.c:736
|<2>| ASSERT: gnutls_handshake.c:2804
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

$ gnutls-cli --x509cafile /tmp/cacert-old.pem -VV  --debug 2 -p 443 svn.blender.org 
Processed 2 CA certificate(s).
Resolving 'svn.blender.org'...
Connecting to '82.94.213.217:443'...
|<2>| EXT[0x894c40]: Sending extension CERT_TYPE
|<2>| EXT[0x894c40]: Sending extension SERVER_NAME
|<2>| EXT[0x894c40]: Sending extension SAFE_RENEGOTIATION
|<2>| EXT[0x894c40]: Sending extension SESSION_TICKET
|<2>| EXT[0x894c40]: Sending extension SIGNATURE_ALGORITHMS
|<2>| EXT[0x894c40]: Found extension 'SERVER_NAME/0'
|<2>| EXT[0x894c40]: Found extension 'SESSION_TICKET/35'
|<2>| ASSERT: dn.c:1211
|<2>| ASSERT: mpi.c:606
|<2>| ASSERT: dn.c:1211
|<2>| ASSERT: gnutls_handshake.c:1334
|<2>| ASSERT: ext_server_name.c:263
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1021 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
|<2>| ASSERT: dn.c:304
|<2>| ASSERT: dn.c:304
|<2>| ASSERT: mpi.c:606
|<2>| ASSERT: x509.c:2777
|<2>| ASSERT: x509.c:2777
|<2>| ASSERT: x509.c:2777
|<2>| ASSERT: x509.c:2777
  - X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 085477
	Issuer: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
	Validity:
		Not Before: Tue Mar 09 10:56:03 UTC 2010
		Not After: Thu Mar 08 10:56:03 UTC 2012
	Subject: CN=svn.blender.org
	Subject Public Key Algorithm: RSA
		Modulus (bits 1024):
			ae:e5:5d:33:1a:67:b6:14:a9:52:07:d9:d0:a7:3d:ae
			d5:b0:97:2c:46:b2:9f:b6:ee:8e:9f:40:cb:2d:5a:5b
			98:b8:c6:d1:0c:25:df:0e:a4:21:46:b1:28:f6:7a:7d
			8b:7a:ad:ff:a9:5b:43:68:05:df:24:3a:0b:23:b7:54
			c2:45:95:f5:78:f9:7d:7a:dc:16:8a:f9:e3:7d:d5:48
			fd:5f:2f:7a:2c:0c:2b:04:43:1f:1e:95:95:b4:2f:91
			55:4a:f2:29:20:f3:6f:a0:78:48:dd:40:6b:94:10:fa
			43:7a:6c:cd:13:3a:f8:0f:12:58:7a:6a:58:4c:8e:0d
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Key Purpose (not critical):
			TLS WWW Client.
			TLS WWW Server.
			2.16.840.1.113730.4.1
			1.3.6.1.4.1.311.10.3.3
		Key Usage (not critical):
			Digital signature.
			Key encipherment.
		Unknown extension 1.3.6.1.5.5.7.1.1 (not critical):
			ASCII: 0%0#..+.....0...http://ocsp.cacert.org/
			Hexdump: 3025302306082b060105050730018617687474703a2f2f6f6373702e6361636572742e6f72672f
	Signature Algorithm: RSA-SHA1
	Signature:
		ad:a1:a4:0b:9a:3a:76:3c:99:7a:7a:aa:3c:e0:3b:9b
		76:11:ee:e0:ba:94:be:53:e1:d6:c8:f0:1e:37:f4:55
		50:f0:d8:dd:a8:7c:f7:c2:3f:3d:85:7a:3d:ba:70:d2
		64:a6:c2:a9:0e:1d:63:7e:f6:83:8f:c8:0a:0c:bb:31
		91:95:1e:d7:8d:4a:3d:cd:64:e3:e4:48:9a:49:4d:07
		09:a4:64:06:ff:4e:3d:f1:5c:bf:5d:db:f2:a4:34:f7
		09:49:e7:27:83:92:b1:d7:b6:18:f2:79:d1:2c:30:8f
		64:0b:16:74:8f:81:92:d9:e4:5f:7d:91:c7:26:88:a4
		03:03:c7:f9:06:b6:e3:fc:e8:70:1b:ba:03:38:07:c7
		a0:a2:d9:1e:79:ea:d1:da:80:68:48:33:bf:0c:ab:d7
		19:bd:6a:bb:d1:73:9a:d3:59:8d:ba:c6:f8:dc:03:23
		81:21:a1:75:91:d0:57:cc:6f:64:3b:e2:62:07:ee:13
		d3:18:37:80:cf:f8:60:73:7f:4c:1d:94:22:b5:0d:2f
		5c:a5:3f:a6:2e:bc:8d:18:ff:7c:34:42:16:f0:ce:91
		ad:21:c7:15:92:89:68:e0:98:d3:d4:dd:06:29:b3:66
		16:3d:e1:cb:96:f8:68:f1:eb:64:18:87:08:a8:3c:8c
		4a:b9:d2:38:1e:db:49:2e:4f:9b:cd:64:4c:90:78:fe
		c8:fc:d7:1d:7a:04:d3:a4:04:50:b6:c3:ee:f6:6b:9e
		19:5a:ad:41:b4:8f:e8:24:4b:28:a2:04:4b:8e:bf:24
		3d:83:d6:fb:f3:88:05:9d:0d:77:6d:36:bf:b2:67:5a
		34:aa:58:b2:c2:74:8e:ed:d3:b1:aa:72:0f:d4:b9:81
		b1:83:bd:3b:aa:7c:ce:36:bc:14:a6:dc:3c:0e:1c:a5
		95:4d:63:e5:1a:c7:4e:f3:49:9b:a7:cc:18:9a:e5:1a
		29:57:95:32:f2:85:7b:85:cb:dc:73:f3:2f:7b:ef:b5
		8e:5b:7f:17:ca:68:1a:c2:47:91:b5:07:4e:36:19:eb
		ad:8a:75:55:52:0b:98:78:f1:f7:c5:65:2b:04:08:2c
		f0:5d:dd:ac:39:03:2e:74:82:5f:05:a2:af:ce:cc:cd
		77:4e:0c:cb:f2:9d:b0:18:07:e2:07:f2:45:52:5e:d8
		1c:cc:4f:3a:73:9a:a7:1b:46:3b:60:f2:73:32:dc:cf
		8a:f5:c8:93:75:b5:77:f5:9e:c8:d6:b4:6d:43:9d:07
		31:c5:df:74:fa:02:09:5c:ad:57:1b:b6:f4:e2:a9:5d
		50:65:99:b4:1b:24:b4:b0:43:46:9b:38:86:3c:77:a4
Other Information:
	MD5 fingerprint:
		b95d6cf26bec5bc2c3fe5e42e71b6756
	SHA-1 fingerprint:
		a0e76a504655eed510d9b8595f30031d4624d0a3
	Public Key Id:
		fe4de7d6efeaf4c845900989c7054e53f5c18bc0

 - Certificate[1] info:
|<2>| ASSERT: dn.c:304
|<2>| ASSERT: dn.c:304
|<2>| ASSERT: mpi.c:606
  - X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 01
	Issuer: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support@cacert.org
	Validity:
		Not Before: Fri Oct 14 07:36:55 UTC 2005
		Not After: Mon Mar 28 07:36:55 UTC 2033
	Subject: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root
	Subject Public Key Algorithm: RSA
		Modulus (bits 4096):
			ab:49:35:11:48:7c:d2:26:7e:53:94:cf:43:a9:dd:28
			d7:42:2a:8b:f3:87:78:19:58:7c:0f:9e:da:89:7d:e1
			fb:eb:72:90:0d:74:a1:96:64:ab:9f:a0:24:99:73:da
			e2:55:76:c7:17:7b:f5:04:ac:46:b8:c3:be:7f:64:8d
			10:6c:24:f3:61:9c:c0:f2:90:fa:51:e6:f5:69:01:63
			c3:0f:56:e2:4a:42:cf:e2:44:8c:25:28:a8:c5:79:09
			7d:46:b9:8a:f3:e9:f3:34:29:08:45:e4:1c:9f:cb:94
			04:1c:81:a8:14:b3:98:65:c4:43:ec:4e:82:8d:09:d1
			bd:aa:5b:8d:92:d0:ec:de:90:c5:7f:0a:c2:e3:eb:e6
			31:5a:5e:74:3e:97:33:59:e8:c3:03:3d:60:33:bf:f7
			d1:6f:47:c4:cd:ee:62:83:52:6e:2e:08:9a:a4:d9:15
			18:91:a6:85:92:47:b0:ae:48:eb:6d:b7:21:ec:85:1a
			68:72:35:ab:ff:f0:10:5d:c0:f4:94:a7:6a:d5:3b:92
			7e:4c:90:05:7e:93:c1:2c:8b:a4:8e:62:74:15:71:6e
			0b:71:03:ea:af:15:38:9a:d4:d2:05:72:6f:8c:f9:2b
			eb:5a:72:25:f9:39:46:e3:72:1b:3e:04:c3:64:27:22
			10:2a:8a:4f:58:a7:03:ad:be:b4:2e:13:ed:5d:aa:48
			d7:d5:7d:d4:2a:7b:5c:fa:46:04:50:e4:cc:0e:42:5b
			8c:ed:db:f2:cf:fc:96:93:e0:db:11:36:54:62:34:38
			8f:0c:60:9b:3b:97:56:38:ad:f3:d2:5b:8b:a0:5b:ea
			4e:96:b8:7c:d7:d5:a0:86:70:40:d3:91:29:b7:a2:3c
			ad:f5:8c:bb:cf:1a:92:8a:e4:34:7b:c0:d8:6c:5f:e9
			0a:c2:c3:a7:20:9a:5a:df:2c:5d:52:5c:ba:47:d5:9b
			ef:24:28:70:38:20:2f:d5:7f:29:c0:b2:41:03:68:92
			cc:e0:9c:cc:97:4b:45:ef:3a:10:0a:ab:70:3a:98:95
			70:ad:35:b1:ea:85:2b:a4:1c:80:21:31:a9:ae:60:7a
			80:26:48:00:b8:01:c0:93:63:55:22:91:3c:56:e7:af
			db:3a:25:f3:8f:31:54:ea:26:8b:81:59:f9:a1:d1:53
			11:c5:7b:9d:03:f6:74:11:e0:6d:b1:2c:3f:2c:86:91
			99:71:9a:a6:77:8b:34:60:d1:14:b4:2c:ac:9d:af:8c
			10:d3:9f:c4:6a:f8:6f:13:fc:73:59:f7:66:42:74:1e
			8a:e3:f8:dc:d2:6f:98:9c:cb:47:98:95:40:05:fb:e9
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Unknown extension 1.3.6.1.5.5.7.1.1 (not critical):
			ASCII: 0O0#..+.....0...http://ocsp.CAcert.org/0(..+.....0...http://www.CAcert.org/ca.crt
			Hexdump: 304f302306082b060105050730018617687474703a2f2f6f6373702e4341636572742e6f72672f302806082b06010505073002861c687474703a2f2f7777772e4341636572742e6f72672f63612e637274
		Unknown extension 2.5.29.32 (not critical):
			ASCII: 0A0?..+......J0301..+........%http://www.CAcert.org/index.php?id=10
			Hexdump: 3041303f06082b0601040181904a3033303106082b060105050702011625687474703a2f2f7777772e4341636572742e6f72672f696e6465782e7068703f69643d3130
	Signature Algorithm: RSA-MD5
warning: signed using a broken signature algorithm that can be forged.
	Signature:
		7f:08:88:a1:da:1a:50:49:da:89:fb:a1:08:72:f3:8a
		f7:1e:c4:3a:b4:79:5b:20:30:b1:45:de:c2:5d:d3:65
		69:f1:c2:5d:54:54:3c:85:5f:b9:7b:42:91:c2:99:fd
		1b:51:9b:ab:46:a5:a1:10:53:9e:6d:88:ac:73:6e:2c
		33:a6:f0:f4:9e:e0:75:c1:3e:88:45:a9:e1:66:43:fe
		56:5a:d1:7a:41:78:f7:40:da:4a:3a:f1:0b:5b:a5:bb
		16:06:e6:c2:e7:93:b9:85:4d:97:4f:b1:1e:38:43:80
		ef:9b:0d:8c:ef:b8:a7:60:00:87:57:7d:1e:44:1c:cb
		23:ef:9b:3c:99:9d:af:b5:29:1c:45:79:16:96:4d:27
		6d:f1:1c:6c:c3:c2:55:64:b3:bc:14:e2:f3:a4:1f:1e
		32:fc:27:15:05:cf:dd:2e:ae:3e:82:61:7b:f0:21:10
		18:f6:44:ea:53:39:f9:dc:d0:9a:20:e0:c6:bb:e0:bb
		5a:4f:c4:99:c8:07:bd:b5:bd:a2:db:2e:62:0d:42:34
		41:bc:ff:8b:8a:f5:51:22:aa:88:30:00:e2:b0:d4:bc
		be:65:ba:d5:03:57:79:9b:e8:dc:c8:4d:f8:50:ed:91
		a5:52:28:a2:ac:fb:36:58:3e:e9:94:2b:91:50:87:1b
		d6:5e:d6:8c:cc:f7:0f:10:0c:52:4e:d0:16:61:e5:e5
		0a:6c:bf:17:c7:72:46:57:9c:98:f5:6c:60:63:7a:6f
		5e:b9:4e:2f:c8:b9:b9:bb:6a:85:bc:98:0d:ed:f9:3e
		97:84:34:94:ae:00:af:a1:e5:e7:92:6e:4e:bd:f3:e2
		d9:14:8b:5c:d2:eb:01:6c:a0:17:a5:2d:10:eb:9c:7a
		4a:bd:bd:ee:ce:fd:ed:22:40:ab:70:38:88:f5:0a:87
		6a:c2:ab:05:60:c9:48:05:da:53:c1:de:44:77:6a:b3
		f3:3c:3c:ed:80:bc:a6:38:4a:29:24:5f:fe:59:3b:9b
		25:7a:56:63:00:64:b9:5d:a4:62:7d:57:36:4f:ad:83
		ef:1f:92:53:a0:8e:77:57:dd:e5:61:11:3d:23:00:90
		4c:3c:fa:a3:60:93:04:a3:af:35:f6:0e:6a:8f:4f:4a
		60:a7:85:05:6c:46:a1:8f:f4:c7:76:e3:a1:59:57:f7
		71:b2:c4:6e:14:5c:6d:6d:41:66:df:1b:93:b1:d4:00
		c3:ee:cb:cf:3c:3d:21:80:a9:5f:63:65:fc:dd:e0:5f
		a4:f4:2b:f0:85:71:41:d4:67:25:fb:1a:b1:97:ae:d6
		99:82:13:41:d2:6e:a5:1b:99:27:80:e7:0b:a9:a8:00
Other Information:
	MD5 fingerprint:
		733f35541d44c9e95a4aef51ad0306b6
	SHA-1 fingerprint:
		db4c4269073fe9c2a37d890a5c1b18c4184e2a2d
	Public Key Id:
		75a871604c8813f078d98977b56dc589dfbcb17a

- The hostname in the certificate matches 'svn.blender.org'.
|<2>| ASSERT: dn.c:1211
|<2>| ASSERT: mpi.c:606
|<2>| ASSERT: dn.c:1211
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Session ID: 66:43:C7:29:D2:E5:88:A2:A1:B1:6E:1C:E4:8B:6E:FD:A0:58:F7:7E:22:E2:09:30:52:FF:63:E1:66:AB:B3:2F
- Handshake was completed

- Simple Client Mode:
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-12-08 08:13:51 UTC 
Your workaround is really bad. This needs to be resolved either by Blender regenerating thier cert (it's about 30 seconds of work, I've done it for a lot of Gentoo services already), or upstream ca-certificates reversing their decision that the old cacert class3 is no longer trustworthy.

As an interesting comparision, while gnutls distrusts the chain due to the old/new mismatch, OpenSSL gets it right and trusts regardless of which old/new CA is passed, becaused the root that signs the class3 has stayed the same.

$ openssl s_client -connect 82.94.213.217:443 -CAfile $file  -verify  5
(pass /dev/null to force fail or the previous files from /tmp/ to pass)