Skip to content
GitLab
Closed (moved) (moved)
Issue created by Brian J. Murrell@brianjmurrell

Evolution starts hitting certificate errors when ca-certificates is updated

Back on Tue 04 Feb 2020 I brought this up in IRC:

(09:22:28 AM) shred00: anyone else getting certificate trust pop-ups in evolution on Fedora 31 for google domains?
(09:35:28 AM) shred00: there is a report that closing evolution and re-opening it fixes the problem.  not sure why it would though.
(09:37:01 AM) shred00: i do see ca-certificates-2020.2.40-1.1.fc31.noarch was updated yesterday.  does evolution not pick that up dynamically?
(10:18:28 AM) mcrha: hi shred00, evo depends on glib-networking with the info about connection certificates, and it uses gnutls in the background (I doubt there's enabled OpenSSL backend for it, but I do not know that for sure)
(10:22:44 AM) mcrha: updating to ca-certificates-2020.2.40-1.1 didn't case the trust prompt in evo, which I didn't have running when installing the ca-certificates
(10:25:37 AM) mcrha: neither after restart of the whole machine. I'm updating it completely now.
(10:54:33 AM) mcrha: shred00, no trust prompt appeared here after complete system update; using imap.gmail.com, if it matters
(10:58:00 AM) shred00: yeah.  i think the problem is if the ca-certificates package gets updated while evolution is running, evolution doesn't pick up the new certifcates.

And then again on Wed 24 Jun 2020 08:23:43
(08:24:52 AM) shred00: once again, the updating of the ca-certificates RPM on Fedora is causing the running evolution to not recognize any certs.  i suspect once i restart evolution the problem will go away, but why is this happening?
(08:33:43 AM) shred00: https://bugzilla.redhat.com/show_bug.cgi?id=1850512

And then again on Thu 16 Dec 2021 09:24:19 AM:
(09:24:44 AM) shred00: is it expected that when ca-certificates package is updated, evolution starts complaining about perfectly valid certs?
(09:29:55 AM) shred00: seems to be https://bugzilla.redhat.com/show_bug.cgi?id=1850512 but i am on F35 now with gnutls-3.7.2-2.fc35.x86_64
(09:31:25 AM) shred00: so i reopened that

And now again today, I am experiencing the same issue, and ca-certificates was updated just 45 minutes ago and I am getting certificate errors from Evolution:

image image

What gnutls-cli has to say about the caldav.calendar.yahoo.com:443 certificate:

$ gnutls-cli -d 10 -p caldav caldav.calendar.yahoo.com
|<2>| Initializing needed PKCS #11 modules
|<2>| p11: Initializing module: p11-kit-trust
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<3>| ASSERT: ../../lib/pkcs11.c[find_multi_objs_cb]:3136
|<3>| ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_list_import_url3]:3465
Processed 361 CA certificate(s).
Resolving 'caldav.calendar.yahoo.com:caldav'...
Cannot resolve caldav.calendar.yahoo.com:caldav: Servname not supported for ai_socktype
[brian@pc Downloads]$ gnutls-cli -d 10 -p 443 caldav.calendar.yahoo.com
|<2>| Initializing needed PKCS #11 modules
|<2>| p11: Initializing module: p11-kit-trust
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<2>| p11: No login requested.
|<3>| p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE
|<3>| p11 attrs: CKA_TRUSTED
|<3>| p11 attrs: CKA_CERTIFICATE_CATEGORY=CA
|<3>| ASSERT: ../../lib/pkcs11.c[find_multi_objs_cb]:3136
|<3>| ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_list_import_url3]:3465
Processed 361 CA certificate(s).
Resolving 'caldav.calendar.yahoo.com:443'...
Connecting to '2001:4998:58:210::2001:443'...
|<5>| REC[0x562e45c5a3b0]: Allocating epoch #0
|<2>| cfg: system priority /etc/crypto-policies/back-ends/gnutls.config has not changed
|<2>| cfg: finalized system-wide priority string
|<2>| resolved 'SYSTEM' to 'NONE:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+GROUP-X25519:+GROUP-X448:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-FFDHE2048:+GROUP-FFDHE3072:+GROUP-FFDHE4096:+GROUP-FFDHE6144:+GROUP-FFDHE8192:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+AES-256-CBC:+AES-128-GCM:+AES-128-CCM:+AES-128-CBC:+AEAD:+SHA1:+SHA512:+SIGN-ECDSA-SHA3-256:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+SIGN-ECDSA-SHA3-384:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+SIGN-ECDSA-SHA3-512:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-EdDSA-Ed25519:+SIGN-EdDSA-Ed448:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-SHA3-256:+SIGN-RSA-SHA256:+SIGN-RSA-SHA3-384:+SIGN-RSA-SHA384:+SIGN-RSA-SHA3-512:+SIGN-RSA-SHA512:+SIGN-ECDSA-SHA224:+SIGN-RSA-SHA224:+SIGN-ECDSA-SHA3-224:+SIGN-RSA-SHA3-224:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-DTLS1.2', next ''
|<2>| selected priority string: NONE:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+GROUP-X25519:+GROUP-X448:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-SECP521R1:+GROUP-FFDHE2048:+GROUP-FFDHE3072:+GROUP-FFDHE4096:+GROUP-FFDHE6144:+GROUP-FFDHE8192:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+AES-256-CBC:+AES-128-GCM:+AES-128-CCM:+AES-128-CBC:+AEAD:+SHA1:+SHA512:+SIGN-ECDSA-SHA3-256:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SECP256R1-SHA256:+SIGN-ECDSA-SHA3-384:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+SIGN-ECDSA-SHA3-512:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-EdDSA-Ed25519:+SIGN-EdDSA-Ed448:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-SHA3-256:+SIGN-RSA-SHA256:+SIGN-RSA-SHA3-384:+SIGN-RSA-SHA384:+SIGN-RSA-SHA3-512:+SIGN-RSA-SHA512:+SIGN-ECDSA-SHA224:+SIGN-RSA-SHA224:+SIGN-ECDSA-SHA3-224:+SIGN-RSA-SHA3-224:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-DTLS1.2
|<2>| added 3 protocols, 29 ciphersuites, 17 sig algos and 10 groups into priority list
|<5>| REC[0x562e45c5a3b0]: Allocating epoch #1
|<4>| HSK[0x562e45c5a3b0]: Adv. version: 3.3
|<2>| Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
|<2>| Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
|<2>| Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
|<2>| Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
|<2>| Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
|<2>| Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
|<2>| Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
|<2>| Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
|<2>| Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (OCSP Status Request/5) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sending extension OCSP Status Request/5 (5 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Client Certificate Type/19) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Server Certificate Type/20) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Supported Groups/10) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sent group X25519 (0x1d)
|<4>| EXT[0x562e45c5a3b0]: Sent group X448 (0x1e)
|<4>| EXT[0x562e45c5a3b0]: Sent group SECP256R1 (0x17)
|<4>| EXT[0x562e45c5a3b0]: Sent group SECP384R1 (0x18)
|<4>| EXT[0x562e45c5a3b0]: Sent group SECP521R1 (0x19)
|<4>| EXT[0x562e45c5a3b0]: Sent group FFDHE2048 (0x100)
|<4>| EXT[0x562e45c5a3b0]: Sent group FFDHE3072 (0x101)
|<4>| EXT[0x562e45c5a3b0]: Sent group FFDHE4096 (0x102)
|<4>| EXT[0x562e45c5a3b0]: Sent group FFDHE6144 (0x103)
|<4>| EXT[0x562e45c5a3b0]: Sent group FFDHE8192 (0x104)
|<4>| EXT[0x562e45c5a3b0]: Sending extension Supported Groups/10 (22 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Supported EC Point Formats/11) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sending extension Supported EC Point Formats/11 (2 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (SRP/12) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Signature Algorithms/13) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (4.3) ECDSA-SHA256
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (5.3) ECDSA-SHA384
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (6.3) ECDSA-SHA512
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (8.7) EdDSA-Ed25519
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (8.8) EdDSA-Ed448
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (8.9) RSA-PSS-SHA256
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (8.10) RSA-PSS-SHA384
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (8.11) RSA-PSS-SHA512
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (4.1) RSA-SHA256
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (5.1) RSA-SHA384
|<4>| EXT[0x562e45c5a3b0]: sent signature algo (6.1) RSA-SHA512
|<4>| EXT[0x562e45c5a3b0]: Sending extension Signature Algorithms/13 (30 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (SRTP/14) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Heartbeat/15) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (ALPN/16) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Encrypt-then-MAC/22) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sending extension Encrypt-then-MAC/22 (0 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Extended Master Secret/23) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sending extension Extended Master Secret/23 (0 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Session Ticket/35) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sending extension Session Ticket/35 (0 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Key Share/51) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: sending key share for X25519
|<4>| EXT[0x562e45c5a3b0]: sending key share for SECP256R1
|<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
|<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
|<4>| EXT[0x562e45c5a3b0]: Sending extension Key Share/51 (107 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Supported Versions/43) for 'client hello'
|<2>| Advertizing version 3.4
|<2>| Advertizing version 3.3
|<4>| EXT[0x562e45c5a3b0]: Sending extension Supported Versions/43 (5 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Post Handshake Auth/49) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Safe Renegotiation/65281) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sending extension Safe Renegotiation/65281 (1 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Server Name Indication/0) for 'client hello'
|<2>| HSK[0x562e45c5a3b0]: sent server name: 'caldav.calendar.yahoo.com'
|<4>| EXT[0x562e45c5a3b0]: Sending extension Server Name Indication/0 (30 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Cookie/44) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Early Data/42) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Record Size Limit/28) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Sending extension Record Size Limit/28 (2 bytes)
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Maximum Record Size/1) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Compress Certificate/27) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (ClientHello Padding/21) for 'client hello'
|<4>| EXT[0x562e45c5a3b0]: Preparing extension (Pre Shared Key/41) for 'client hello'
|<4>| HSK[0x562e45c5a3b0]: CLIENT HELLO was queued [394 bytes]
|<5>| REC[0x562e45c5a3b0]: Preparing Packet Handshake(22) with length: 394 and min pad: 0
|<9>| ENC[0x562e45c5a3b0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<5>| REC[0x562e45c5a3b0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 399
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185
|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x562e45c5a3b0]: SSL 3.3 Handshake packet received. Epoch 0, length: 122
|<5>| REC[0x562e45c5a3b0]: Expected Packet Handshake(22)
|<5>| REC[0x562e45c5a3b0]: Received Packet Handshake(22) with length: 122
|<10>| READ: Got 122 bytes from 0x3
|<10>| READ: read 122 bytes from 0x3
|<10>| RB: Have 5 bytes into buffer. Adding 122 bytes.
|<10>| RB: Requested 127 bytes
|<5>| REC[0x562e45c5a3b0]: Decrypted Packet[0] Handshake(22) with length: 122
|<4>| HSK[0x562e45c5a3b0]: SERVER HELLO (2) was received. Length 118[118], frag offset 0, frag length: 118, sequence: 0
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1176
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1428
|<4>| HSK[0x562e45c5a3b0]: Server's version: 3.3
|<4>| EXT[0x562e45c5a3b0]: Parsing extension 'Supported Versions/43' (2 bytes)
|<4>| EXT[0x562e45c5a3b0]: Negotiated version: 3.4
|<4>| HSK[0x562e45c5a3b0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256
|<4>| EXT[0x562e45c5a3b0]: Parsing extension 'Key Share/51' (36 bytes)
|<4>| HSK[0x562e45c5a3b0]: Selected group X25519 (6)
|<2>| EXT[0x562e45c5a3b0]: client generated X25519 shared key
|<5>| REC[0x562e45c5a3b0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
|<9>| ENC[0x562e45c5a3b0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<5>| REC[0x562e45c5a3b0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
|<4>| REC[0x562e45c5a3b0]: Sent ChangeCipherSpec
|<5>| REC[0x562e45c5a3b0]: Initializing epoch #1
|<9>| INT: CLIENT WRITE KEY [16]: c032a9733f032798a5919558eceb0792
|<9>| INT: SERVER WRITE KEY [16]: 863aa25e1886b2f53a65867c8098cd20
|<9>| INT: CLIENT WRITE IV [12]: 15e1932f826609961dc78509
|<9>| INT: SERVER WRITE IV [12]: 06744aad85be5ac317e2026f
|<5>| REC[0x562e45c5a3b0]: Epoch #1 ready
|<4>| HSK[0x562e45c5a3b0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185
|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x562e45c5a3b0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
|<5>| REC[0x562e45c5a3b0]: Expected Packet Handshake(22)
|<5>| REC[0x562e45c5a3b0]: Received Packet ChangeCipherSpec(20) with length: 1
|<10>| READ: Got 1 bytes from 0x3
|<10>| READ: read 1 bytes from 0x3
|<10>| RB: Have 5 bytes into buffer. Adding 1 bytes.
|<10>| RB: Requested 6 bytes
|<10>| discarding change cipher spec in TLS1.3
|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x562e45c5a3b0]: SSL 3.3 Application Data packet received. Epoch 1, length: 27
|<5>| REC[0x562e45c5a3b0]: Expected Packet Handshake(22)
|<5>| REC[0x562e45c5a3b0]: Received Packet Application Data(23) with length: 27
|<10>| READ: Got 27 bytes from 0x3
|<10>| READ: read 27 bytes from 0x3
|<10>| RB: Have 5 bytes into buffer. Adding 27 bytes.
|<10>| RB: Requested 32 bytes
|<5>| REC[0x562e45c5a3b0]: Decrypted Packet[0] Handshake(22) with length: 10
|<4>| HSK[0x562e45c5a3b0]: ENCRYPTED EXTENSIONS (8) was received. Length 6[6], frag offset 0, frag length: 6, sequence: 0
|<4>| HSK[0x562e45c5a3b0]: parsing encrypted extensions
|<4>| EXT[0x562e45c5a3b0]: Parsing extension 'Server Name Indication/0' (0 bytes)
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185
|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x562e45c5a3b0]: SSL 3.3 Application Data packet received. Epoch 1, length: 4864
|<5>| REC[0x562e45c5a3b0]: Expected Packet Handshake(22)
|<5>| REC[0x562e45c5a3b0]: Received Packet Application Data(23) with length: 4864
|<10>| READ: Got 3926 bytes from 0x3
|<10>| READ: Got 938 bytes from 0x3
|<10>| READ: read 4864 bytes from 0x3
|<10>| RB: Have 5 bytes into buffer. Adding 4864 bytes.
|<10>| RB: Requested 4869 bytes
|<5>| REC[0x562e45c5a3b0]: Decrypted Packet[1] Handshake(22) with length: 4847
|<4>| HSK[0x562e45c5a3b0]: CERTIFICATE (11) was received. Length 4843[4843], frag offset 0, frag length: 4843, sequence: 0
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1176
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1428
|<4>| HSK[0x562e45c5a3b0]: parsing certificate message
|<4>| Found OCSP response on cert 0
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185
|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x562e45c5a3b0]: SSL 3.3 Application Data packet received. Epoch 1, length: 96
|<5>| REC[0x562e45c5a3b0]: Expected Packet Handshake(22)
|<5>| REC[0x562e45c5a3b0]: Received Packet Application Data(23) with length: 96
|<10>| READ: Got 96 bytes from 0x3
|<10>| READ: read 96 bytes from 0x3
|<10>| RB: Have 5 bytes into buffer. Adding 96 bytes.
|<10>| RB: Requested 101 bytes
|<5>| REC[0x562e45c5a3b0]: Decrypted Packet[2] Handshake(22) with length: 79
|<4>| HSK[0x562e45c5a3b0]: CERTIFICATE VERIFY (15) was received. Length 75[75], frag offset 0, frag length: 75, sequence: 0
|<4>| HSK[0x562e45c5a3b0]: Parsing certificate verify
|<4>| HSK[0x562e45c5a3b0]: verifying TLS 1.3 handshake data using ECDSA-SECP256R1-SHA256
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=*.fantasysports.yahoo.com,O=Oath Holdings Inc.,L=Sunnyvale,ST=California,C=US', issuer `CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x044bf6d2a94f8339731686848cf6ce5a, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2023-01-19 00:00:00 UTC', expires `2023-03-08 23:59:59 UTC', pin-sha256="PQwHNbw+SELJuJPVQD/EIZj+Mm6akp75iUk9UVCLQwQ="
	Public Key ID:
		sha1:1be9bd8fa362ee0a670b055f433dff94e8799b58
		sha256:3d0c0735bc3e4842c9b893d5403fc42198fe326e9a929ef989493d51508b4304
	Public Key PIN:
		pin-sha256:PQwHNbw+SELJuJPVQD/EIZj+Mm6akp75iUk9UVCLQwQ=

- Certificate[1] info:
|<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
|<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
 - subject `CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x04e1e7a4dc5cf2f36dc02b42b85d159f, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-10-22 12:00:00 UTC', expires `2028-10-22 12:00:00 UTC', pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="
|<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1569
|<3>| ASSERT: ../../../lib/x509/ocsp.c[find_signercert]:1975
|<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_x509_der_encode]:875
|<3>| ASSERT: ../../../lib/x509/ocsp.c[find_signercert]:2070
|<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1569
|<3>| ASSERT: ../../../lib/x509/ocsp.c[gnutls_ocsp_resp_verify]:2331
|<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1569
|<3>| ASSERT: ../../../lib/x509/ocsp.c[find_signercert]:1975
|<3>| ASSERT: ../../../lib/x509/common.c[_gnutls_x509_der_encode]:875
|<3>| ASSERT: ../../../lib/x509/ocsp.c[find_signercert]:2070
|<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
|<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
|<3>| ocsp signer: subject `CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x04e1e7a4dc5cf2f36dc02b42b85d159f, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-10-22 12:00:00 UTC', expires `2028-10-22 12:00:00 UTC', pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="
|<3>| ASSERT: ../../../lib/x509/ocsp.c[gnutls_ocsp_resp_get_single]:1629
|<3>| ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:98
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../../lib/x509/verify.c[verify_crt]:688
|<3>| ASSERT: ../../../lib/x509/verify.c[verify_crt]:840
|<3>| ASSERT: ../../../lib/x509/verify.c[_gnutls_verify_crt_status]:1034
|<2>| issuer in verification was not found or insecure; trying against trust list
|<3>| ASSERT: ../../../lib/x509/verify.c[verify_crt]:688
|<3>| ASSERT: ../../../lib/x509/verify.c[verify_crt]:840
|<3>| ASSERT: ../../../lib/x509/verify.c[_gnutls_verify_crt_status]:1034
|<3>| ASSERT: ../../../lib/x509/verify-high.c[gnutls_x509_trust_list_verify_crt2]:1615
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4627
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4650
|<2>| crt_is_known: did not find any cert
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4627
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4650
|<2>| crt_is_known: did not find any cert
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4627
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4650
|<2>| crt_is_known: did not find any cert
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4627
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4650
|<2>| crt_is_known: did not find any cert
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<2>| crt_is_known: did not find cert, using issuer DN + serial, using DN only
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4627
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<2>| p11: No login requested.
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4265
|<3>| ASSERT: ../../lib/pkcs11.c[find_cert_cb]:4087
|<3>| ASSERT: ../../lib/pkcs11.c[_gnutls_pkcs11_crt_is_known]:4650
|<2>| crt_is_known: did not find any cert
|<2>| looking for key purpose '1.3.6.1.5.5.7.3.1', but have '1.3.6.1.5.5.7.3.4'
|<3>| ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:493
|<3>| ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:493
- Status: The certificate is trusted. 
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185
|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x562e45c5a3b0]: SSL 3.3 Application Data packet received. Epoch 1, length: 53
|<5>| REC[0x562e45c5a3b0]: Expected Packet Handshake(22)
|<5>| REC[0x562e45c5a3b0]: Received Packet Application Data(23) with length: 53
|<10>| READ: Got 53 bytes from 0x3
|<10>| READ: read 53 bytes from 0x3
|<10>| RB: Have 5 bytes into buffer. Adding 53 bytes.
|<10>| RB: Requested 58 bytes
|<5>| REC[0x562e45c5a3b0]: Decrypted Packet[3] Handshake(22) with length: 36
|<4>| HSK[0x562e45c5a3b0]: FINISHED (20) was received. Length 32[32], frag offset 0, frag length: 32, sequence: 0
|<4>| HSK[0x562e45c5a3b0]: parsing finished
|<4>| HSK[0x562e45c5a3b0]: sending finished
|<4>| HSK[0x562e45c5a3b0]: FINISHED was queued [36 bytes]
|<5>| REC[0x562e45c5a3b0]: Preparing Packet Handshake(22) with length: 36 and min pad: 0
|<9>| ENC[0x562e45c5a3b0]: cipher: AES-128-GCM, MAC: AEAD, Epoch: 1
|<5>| REC[0x562e45c5a3b0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 58
|<3>| ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:967
|<5>| REC[0x562e45c5a3b0]: Allocating epoch #2
|<5>| REC[0x562e45c5a3b0]: Initializing epoch #2
|<9>| INT: CLIENT WRITE KEY [16]: 13abc1a68e53cfb439a5912e3adbf1c2
|<9>| INT: SERVER WRITE KEY [16]: 843d49b3e00a9067079e2159611374f3
|<9>| INT: CLIENT WRITE IV [12]: 231a04c344ecc289db673b23
|<9>| INT: SERVER WRITE IV [12]: 135fdad7c74a3d008a89e759
|<5>| REC[0x562e45c5a3b0]: Epoch #2 ready
|<4>| HSK[0x562e45c5a3b0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256
|<5>| REC[0x562e45c5a3b0]: Start of epoch cleanup
|<5>| REC[0x562e45c5a3b0]: Epoch #0 freed
|<5>| REC[0x562e45c5a3b0]: Epoch #1 freed
|<5>| REC[0x562e45c5a3b0]: End of epoch cleanup
- Description: (TLS1.3-X.509)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-128-GCM)
- Session ID: 26:36:46:48:16:75:DB:51:BD:42:B3:61:EE:4C:55:6D:2D:B8:5D:9F:96:28:74:E9:40:74:95:44:34:96:59:FD
|<3>| ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:229
- Options: OCSP status request,
|<3>| ASSERT: ../../../lib/ext/srtp.c[gnutls_srtp_get_selected_profile]:320
|<3>| ASSERT: ../../../lib/ext/alpn.c[gnutls_alpn_get_selected_protocol]:246
- Handshake was completed

- Simple Client Mode:

|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x562e45c5a3b0]: SSL 3.3 Application Data packet received. Epoch 2, length: 282
|<5>| REC[0x562e45c5a3b0]: Expected Packet Application Data(23)
|<5>| REC[0x562e45c5a3b0]: Received Packet Application Data(23) with length: 282
|<10>| READ: Got 282 bytes from 0x3
|<10>| READ: read 282 bytes from 0x3
|<10>| RB: Have 5 bytes into buffer. Adding 282 bytes.
|<10>| RB: Requested 287 bytes
|<5>| REC[0x562e45c5a3b0]: Decrypted Packet[0] Handshake(22) with length: 265
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185
|<4>| HSK[0x562e45c5a3b0]: NEW SESSION TICKET (4) was received. Length 261[261], frag offset 0, frag length: 261, sequence: 0
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1446
|<4>| HSK[0x562e45c5a3b0]: parsing session ticket message
|<3>| ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1589
|<3>| ASSERT: ../../lib/record.c[_gnutls_recv_int]:1787
|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x562e45c5a3b0]: SSL 3.3 Application Data packet received. Epoch 2, length: 282
|<5>| REC[0x562e45c5a3b0]: Expected Packet Application Data(23)
|<5>| REC[0x562e45c5a3b0]: Received Packet Application Data(23) with length: 282
|<10>| READ: Got 282 bytes from 0x3
|<10>| READ: read 282 bytes from 0x3
|<10>| RB: Have 5 bytes into buffer. Adding 282 bytes.
|<10>| RB: Requested 287 bytes
|<5>| REC[0x562e45c5a3b0]: Decrypted Packet[1] Handshake(22) with length: 265
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185
|<4>| HSK[0x562e45c5a3b0]: NEW SESSION TICKET (4) was received. Length 261[261], frag offset 0, frag length: 261, sequence: 0
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1446
|<4>| HSK[0x562e45c5a3b0]: parsing session ticket message
|<3>| ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1589
|<3>| ASSERT: ../../lib/record.c[_gnutls_recv_int]:1787

Buried in there is a - Status: The certificate is trusted.. openssl s_client also confirms that the system's CA PKI database trusts the above cert.

Both of the above seem to indicate that this is not a problem with the system trust database but rather Evolution's current state of/with it.

As every time before, I am quite sure that if I simply restart Evolution, all will be OK again. But one really should not need to do that. Evolution should be able to handle an update of ca-certificates without having to be restarted.

Edited by Andre Klapper
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information