which accepts several server misconfigurations
OpenSSL is very liberal about the order and content of the supplied
cert chain. GnuTLS however is very crucial about it. So to support
GnuTLS we need to tell our community to fix their servers (joindiaspora.com
is broken too). You can check it with
gnutls-cli -V --x506cafile=/etc/ssl/ca-certificates.crt $domain
It will print the certs in the order received and say at the end
if it could be verifed. Note that not only the order is important but
also the content. Many example configurations, especially for Nginx,
include the root cert of the CA in the chain which is wrong.
Note from a GnuTLS maintainer: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23573736#29
Revert "Fix federation with GnuTLS by passing the ca_file to Typhoeus"
This reverts commit 640a0181ab.
How did this ever work? Anyway Diaspora now works with libcurl4-gnutls-dev
which already supports SNI in most distributions and is also the default
for many distros. Everybody should switch to it. Do so by installing it and
then do a gem uninstall typhoeus followed by a bundle to compile it with
GnuTLS
