* bug#24575: 25.1; TLS cert lossage
@ 2016-09-30 21:49 Devon Sean McCullough
2016-10-01 7:58 ` Eli Zaretskii
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Devon Sean McCullough @ 2016-09-30 21:49 UTC (permalink / raw)
To: 24575
url-retrieve-synchronously distrusts this perfectly good cert
which is trusted by Emacs 24.3, Emacs 24.5 and FireFox 49.0.1:
$ Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq
debug-on-error t) (trace-function (function nsm-query-user))
(url-retrieve-synchronously "https://HostGator.com"))'
*trace-output*
======================================================================
1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the
following reason%s:
%s" ("hostgator.com" 443 "s" "the certificate was signed by an unknown and
therefore untrusted authority
certificate could not be verified") #("Certificate information
Issued by: COMODO RSA Domain Validation Secure Server CA
Issued to: Domain Control Validated
Hostname: *.hostgator.com
Public key: RSA, signature: RSA-SHA256
Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-CBC, mac: SHA256
Security level: Medium
Valid: From 2015-10-16 to 2018-10-15
" 315 321 (face bold)))
1 <- nsm-query-user: no
*Backtrace*
Debugger entered--Lisp error: (error "Could not create connection to
hostgator.com:443")
signal(error ("Could not create connection to hostgator.com:443"))
error("Could not create connection to %s:%d" "hostgator.com" 443)
url-http([cl-struct-url "https" nil nil "hostgator.com" nil "" nil nil t
nil t] #[128 "\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil)
(nil) url-debug retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn
&rest IGNORED)"] (nil) nil tls)
url-https([cl-struct-url "https" nil nil "hostgator.com" nil "" nil nil
t nil t] #[128 "\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil)
(nil) url-debug retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn
&rest IGNORED)"] (nil))
url-retrieve-internal("https://HostGator.com" #[128
"\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil) (nil) url-debug
retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn &rest
IGNORED)"] (nil) nil nil)
url-retrieve("https://HostGator.com" #[128
"\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil) (nil) url-debug
retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn &rest
IGNORED)"] nil nil nil)
url-retrieve-synchronously("https://HostGator.com")
(progn (setq debug-on-error t) (trace-function (function
nsm-query-user)) (url-retrieve-synchronously "https://HostGator.com"))
eval((progn (setq debug-on-error t) (trace-function (function
nsm-query-user)) (url-retrieve-synchronously "https://HostGator.com")))
command-line-1(("--eval" "(progn (setq debug-on-error t) (trace-function
(function nsm-query-user)) (url-retrieve-synchronously
\"https://HostGator.com\"))"))
command-line()
normal-top-level()
$ Open https://HostGator.com # FireFox 49.0.1 accepts the cert without
question and can export the chain to a PEM file:
$ awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {cert = cert "\n" $0}; /END
CERTIFICATE/ {system ("OpenSSL x509 -text <<.\n" cert "\n.\n"); cert =
""}' < '*.hostgator.com.crt'
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cb:66:63:4e:f1:c6:d1:71:40:ab:7d:99:b5:4c:16:de
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Oct 16 00:00:00 2015 GMT
Not After : Oct 15 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=Hosted by HostGator.com,
LLC., OU=PositiveSSL Wildcard, CN=*.hostgator.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c7:a5:32:1b:d3:af:0a:81:a6:60:da:87:80:e8:
71:b4:2d:8f:4f:5b:5c:e3:75:b5:f5:ae:01:21:f7:
e5:ca:f3:8b:64:fd:d8:d7:09:ec:c0:b8:b1:3e:ed:
8d:13:b6:fa:69:ff:10:c0:30:e1:ea:8e:23:ba:4d:
a3:f9:d7:b7:ca:b9:a4:df:76:a6:37:b9:c0:ea:44:
4c:db:f0:60:45:ea:1c:47:b7:26:33:f7:e6:3b:70:
42:94:6c:d9:29:4d:9f:f5:42:46:db:96:65:40:f4:
24:8a:34:2d:f8:84:99:98:ac:40:d4:27:11:b7:0d:
11:0b:c2:ed:77:cb:e6:93:7c:99:5a:6a:f6:eb:f1:
02:f8:26:d9:9a:15:b7:8e:2d:a0:dc:d8:f4:5c:ce:
ef:20:a2:49:0f:b6:69:ab:e7:dc:21:5d:46:64:2c:
34:1b:81:74:9c:d6:2f:d5:05:fd:77:df:d7:3f:97:
80:49:b7:81:52:7d:1c:be:9b:ce:3d:3e:2d:96:5b:
1f:04:2c:62:ff:c4:1c:f8:e3:ab:4d:40:49:81:32:
e1:81:df:7c:1c:39:15:55:cf:47:19:35:a0:4d:cd:
7e:ef:b0:be:31:74:15:52:8d:d7:d2:7e:e6:9e:87:
9a:87:8c:62:b6:0d:8a:f8:cb:60:08:f7:d9:e8:22:
5e:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Subject Key Identifier:
CE:54:03:B4:98:00:7C:DE:70:72:6C:9C:D4:BE:39:01:FE:31:EE:C3
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers -
URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:*.hostgator.com, DNS:hostgator.com
Signature Algorithm: sha256WithRSAEncryption
2b:89:cf:de:f6:af:78:80:0c:dd:cb:d8:39:ee:bf:41:3a:5c:
a1:64:95:5e:cd:b5:25:b6:fc:e2:07:73:ab:05:d3:26:35:70:
12:93:2d:4e:ca:61:35:4e:6c:12:e6:ed:f1:46:cf:ac:60:c1:
bf:7c:dd:82:f2:54:e5:55:53:95:05:84:d4:36:7d:45:9d:b9:
87:32:c9:35:79:58:cc:89:1d:54:b2:be:33:21:46:af:98:05:
2a:8a:58:c2:64:b4:13:b8:ea:ce:b1:4b:d5:95:2b:2e:b2:ac:
a5:fd:dc:7f:91:b6:a1:8f:d0:6f:bb:da:23:73:d7:3f:44:c9:
c2:50:d6:4e:d0:b8:0d:91:95:9f:63:f4:46:ab:18:c8:b1:6c:
cd:3d:35:64:24:dd:96:f4:2e:54:13:6a:33:c9:d0:ed:e3:47:
9b:ba:56:d9:52:ef:3c:42:40:26:e3:c7:4f:93:04:88:f7:4c:
12:67:1a:35:28:a5:c8:8a:63:36:7a:5b:4e:af:42:c6:e8:14:
e9:12:4b:8c:a5:23:fb:6d:fe:03:b9:66:fc:7e:a0:5f:cd:99:
a1:bc:b6:70:25:75:9a:15:d5:a2:c4:a5:ea:ba:2b:84:74:a7:
ef:cd:0a:12:8a:10:0c:82:eb:ba:2c:c8:c1:08:4f:b5:1e:85:
88:a7:ae:eb
-----BEGIN CERTIFICATE-----
MIIFfjCCBGagAwIBAgIRAMtmY07xxtFxQKt9mbVMFt4wDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUxMDE2MDAwMDAwWhcNMTgxMDE1MjM1OTU5WjCBhDEhMB8GA1UECxMY
RG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSYwJAYDVQQLEx1Ib3N0ZWQgYnkgSG9z
dEdhdG9yLmNvbSwgTExDLjEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQx
GDAWBgNVBAMMDyouaG9zdGdhdG9yLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMelMhvTrwqBpmDah4DocbQtj09bXON1tfWuASH35crzi2T92NcJ
7MC4sT7tjRO2+mn/EMAw4eqOI7pNo/nXt8q5pN92pje5wOpETNvwYEXqHEe3JjP3
5jtwQpRs2SlNn/VCRtuWZUD0JIo0LfiEmZisQNQnEbcNEQvC7XfL5pN8mVpq9uvx
Avgm2ZoVt44toNzY9FzO7yCiSQ+2aavn3CFdRmQsNBuBdJzWL9UF/Xff1z+XgEm3
gVJ9HL6bzj0+LZZbHwQsYv/EHPjjq01ASYEy4YHffBw5FVXPRxk1oE3Nfu+wvjF0
FVKN19J+5p6HmoeMYrYNivjLYAj32egiXl8CAwEAAaOCAdswggHXMB8GA1UdIwQY
MBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBTOVAO0mAB83nBybJzU
vjkB/jHuwzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzAr
MCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZn
gQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYI
KwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wKQYDVR0RBCIwIIIP
Ki5ob3N0Z2F0b3IuY29tgg1ob3N0Z2F0b3IuY29tMA0GCSqGSIb3DQEBCwUAA4IB
AQAric/e9q94gAzdy9g57r9BOlyhZJVezbUltvziB3OrBdMmNXASky1OymE1TmwS
5u3xRs+sYMG/fN2C8lTlVVOVBYTUNn1FnbmHMsk1eVjMiR1Usr4zIUavmAUqiljC
ZLQTuOrOsUvVlSsusqyl/dx/kbahj9Bvu9ojc9c/RMnCUNZO0LgNkZWfY/RGqxjI
sWzNPTVkJN2W9C5UE2ozydDt40ebulbZUu88QkAm48dPkwSI90wSZxo1KKXIimM2
eltOr0LG6BTpEkuMpSP7bf4DuWb8fqBfzZmhvLZwJXWaFdWixKXquiuEdKfvzQoS
ihAMguu6LMjBCE+1HoWIp67r
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Certification Authority
Validity
Not Before: Feb 12 00:00:00 2014 GMT
Not After : Feb 11 23:59:59 2029 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Domain Validation Secure Server CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd:
01:d0:d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0:
c0:0c:02:7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86:
f9:e3:06:9c:3e:0b:81:8a:9b:49:1b:ad:03:be:fa:
4b:db:8c:20:ed:d5:ce:5e:65:8e:3e:0d:af:4c:c2:
b0:b7:45:5e:52:2f:34:de:48:24:64:b4:41:ae:00:
97:f7:be:67:de:9e:d0:7a:a7:53:80:3b:7c:ad:f5:
96:55:6f:97:47:0a:7c:85:8b:22:97:8d:b3:84:e0:
96:57:d0:70:18:60:96:8f:ee:2d:07:93:9d:a1:ba:
ca:d1:cd:7b:e9:c4:2a:9a:28:21:91:4d:6f:92:4f:
25:a5:f2:7a:35:dd:26:dc:46:a5:d0:ac:59:35:8c:
ff:4e:91:43:50:3f:59:93:1e:6c:51:21:ee:58:14:
ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b:98:bc:
e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27:51:
45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8:
cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2:
41:0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85:
82:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
X509v3 Subject Key Identifier:
90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl
Authority Information Access:
CA Issuers -
URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt
OCSP - URI:http://ocsp.comodoca.com
Signature Algorithm: sha384WithRSAEncryption
4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c:d6:44:
9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2:35:bc:fa:f6:
dd:95:8e:99:35:98:0e:36:18:75:b1:dd:dd:50:72:7c:ae:dc:
77:88:ce:0f:f7:90:20:ca:a3:67:2e:1f:56:7f:7b:e1:44:ea:
42:95:c4:5d:0d:01:50:46:15:f2:81:89:59:6c:8a:dd:8c:f1:
12:a1:8d:3a:42:8a:98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b:
72:9d:63:74:58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37:
ef:10:45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c:
9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77:68:96:
d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04:43:28:e9:16:
fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b:6c:72:a2:94:f8:42:
1a:df:ed:6f:06:8c:45:c2:06:00:aa:e4:e8:dc:d9:b5:e1:73:
78:ec:f6:23:dc:d1:dd:6c:8e:1a:8f:a5:ea:54:7c:96:b7:c3:
fe:55:8e:8d:49:5e:fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0:
48:f1:62:82:10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f:
94:05:96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8:
a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a:fb:97:
e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31:e5:0e:57:2d:
5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6:b5:39:c1:f5:98:43:
ff:ee:f9:a7:a7:fd:ee:ca:24:3d:80:16:c4:17:8f:8a:c1:60:
a1:0c:ae:5b:43:47:91:4b:d5:9a:17:5f:f9:d4:87:c1:c2:8c:
b7:e7:e2:0f:30:19:37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae:
fd:0f:24:51:94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed:
0e:dd:ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5:
1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66:24:37:
90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28:6a:44:70:26:
23:62:a9:9f:86:6f:bf:ba:90:70:d2:56:77:85:78:ef:ea:25:
a9:17:ce:50:72:8c:00:3a:aa:e3:db:63:34:9f:f8:06:71:01:
e2:82:20:d4:fe:6f:bd:b1
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Certification Authority
Validity
Not Before: Jan 19 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:
44:67:74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:
c4:fa:2a:12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:
7f:c9:4b:0f:17:a7:3d:e3:b0:04:61:ee:ff:11:97:
c7:f4:86:3e:0a:fa:3e:5c:f9:93:e6:34:7a:d9:14:
6b:e7:9c:b3:85:a0:82:7a:76:af:71:90:d7:ec:fd:
0d:fa:9c:6c:fa:df:b0:82:f4:14:7e:f9:be:c4:a6:
2f:4f:7f:99:7f:b5:fc:67:43:72:bd:0c:00:d6:89:
eb:6b:2c:d3:ed:8f:98:1c:14:ab:7e:e5:e3:6e:fc:
d8:a8:e4:92:24:da:43:6b:62:b8:55:fd:ea:c1:bc:
6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69:99:f8:78:48:
30:45:d5:ad:e1:0d:3c:45:60:fc:32:96:51:27:bc:
67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1:1f:65:
de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8:cc:
81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c:
22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:
3e:99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:
b6:5c:af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:
af:45:99:e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:
ff:49:58:be:f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:
f4:0b:3a:f9:e8:43:42:1e:89:d8:84:cb:13:f1:d9:
bb:e1:89:60:b8:8c:28:56:ac:14:1d:9c:0a:e7:71:
eb:cf:0e:dd:3d:a9:96:a1:48:bd:3c:f7:af:b5:0d:
22:4c:c0:11:81:ec:56:3b:f6:d3:a2:e2:5b:b7:b2:
04:22:52:95:80:93:69:e8:8e:4c:65:f1:91:03:2d:
70:74:02:ea:8b:67:15:29:69:52:02:bb:d7:df:50:
6a:55:46:bf:a0:a3:28:61:7f:70:d0:c3:a2:aa:2c:
21:aa:47:ce:28:9c:06:45:76:bf:82:18:27:b4:d5:
ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6:df:16:
86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a:2e:
5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7:
31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:
98:aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:
e5:ed:1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:
e5:84:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha384WithRSAEncryption
0a:f1:d5:46:84:b7:ae:51:bb:6c:b2:4d:41:14:00:93:4c:9c:
cb:e5:c0:54:cf:a0:25:8e:02:f9:fd:b0:a2:0d:f5:20:98:3c:
13:2d:ac:56:a2:b0:d6:7e:11:92:e9:2e:ba:9e:2e:9a:72:b1:
bd:19:44:6c:61:35:a2:9a:b4:16:12:69:5a:8c:e1:d7:3e:a4:
1a:e8:2f:03:f4:ae:61:1d:10:1b:2a:a4:8b:7a:c5:fe:05:a6:
e1:c0:d6:c8:fe:9e:ae:8f:2b:ba:3d:99:f8:d8:73:09:58:46:
6e:a6:9c:f4:d7:27:d3:95:da:37:83:72:1c:d3:73:e0:a2:47:
99:03:38:5d:d5:49:79:00:29:1c:c7:ec:9b:20:1c:07:24:69:
57:78:b2:39:fc:3a:84:a0:b5:9c:7c:8d:bf:2e:93:62:27:b7:
39:da:17:18:ae:bd:3c:09:68:ff:84:9b:3c:d5:d6:0b:03:e3:
57:9e:14:f7:d1:eb:4f:c8:bd:87:23:b7:b6:49:43:79:85:5c:
ba:eb:92:0b:a1:c6:e8:68:a8:4c:16:b1:1a:99:0a:e8:53:2c:
92:bb:a1:09:18:75:0c:65:a8:7b:cb:23:b7:1a:c2:28:85:c3:
1b:ff:d0:2b:62:ef:a4:7b:09:91:98:67:8c:14:01:cd:68:06:
6a:63:21:75:03:80:88:8a:6e:81:c6:85:f2:a9:a4:2d:e7:f4:
a5:24:10:47:83:ca:cd:f4:8d:79:58:b1:06:9b:e7:1a:2a:d9:
9d:01:d7:94:7d:ed:03:4a:ca:f0:db:e8:a9:01:3e:f5:56:99:
c9:1e:8e:49:3d:bb:e5:09:b9:e0:4f:49:92:3d:16:82:40:cc:
cc:59:c6:e6:3a:ed:12:2e:69:3c:6c:95:b1:fd:aa:1d:7b:7f:
86:be:1e:0e:32:46:fb:fb:13:8f:75:7f:4c:8b:4b:46:63:fe:
00:34:40:70:c1:c3:b9:a1:dd:a6:70:e2:04:b3:41:bc:e9:80:
91:ea:64:9c:7a:e1:22:03:a9:9c:6e:6f:0e:65:4f:6c:87:87:
5e:f3:6e:a0:f9:75:a5:9b:40:e8:53:b2:27:9d:4a:b9:c0:77:
21:8d:ff:87:f2:de:bc:8c:ef:17:df:b7:49:0b:d1:f2:6e:30:
0b:1a:0e:4e:76:ed:11:fc:f5:e9:56:b2:7d:bf:c7:6d:0a:93:
8c:a5:d0:c0:b6:1d:be:3a:4e:94:a2:d7:6e:6c:0b:c2:8a:7c:
fa:20:f3:c4:e4:e5:cd:0d:a8:cb:91:92:b1:7c:85:ec:b5:14:
69:66:0e:82:e7:cd:ce:c8:2d:a6:51:7f:21:c1:35:53:85:06:
4a:5d:9f:ad:bb:1b:5f:74
-----BEGIN CERTIFICATE-----
MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
+pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
NVOFBkpdn627G190
-----END CERTIFICATE-----
In GNU Emacs 25.1.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version
10.9.5 (Build 13F1911))
of 2016-09-20 built on builder10-9.porkrind.org
Windowing system distributor 'Apple', version 10.3.1404
Configured using:
'configure --with-ns '--enable-locallisppath=/Library/Application
Support/Emacs/${version}/site-lisp:/Library/Application
Support/Emacs/site-lisp' --with-modules'
Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES
Important settings:
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
Major mode: Fundamental
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Contacting host: hostgator.com:443
Type C-x 1 to delete the help window.
Entering debugger...
Mark set [4 times]
Saved text until "1 (face bold)))
1 <- nsm-query-user: no
"
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec epg epg-config mm-decode mm-bodies mm-encode mailabbrev
gmm-utils mailheader sendmail mail-utils debug network-stream nsm
starttls url-http tls gnutls mail-parse rfc2231 rfc2047 rfc2045
ietf-drums url-gw url-cache url-auth url url-proxy url-privacy
url-expand url-methods url-history url-cookie url-domsuf url-util
url-parse auth-source cl-seq eieio byte-opt bytecomp byte-compile
cl-extra cconv eieio-core cl-macs gv gnus-util mm-util help-fns
help-mode easymenu cl-loaddefs pcase cl-lib mail-prsvr password-cache
url-vars mailcap trace time-date mule-util tooltip eldoc electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)
Memory information:
((conses 16 212415 6685)
(symbols 48 21416 0)
(miscs 40 85 166)
(strings 32 21102 6674)
(string-bytes 1 614300)
(vectors 16 35417)
(vector-slots 8 679626 6101)
(floats 8 206 185)
(intervals 56 352 4)
(buffers 976 20))
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: 25.1; TLS cert lossage
2016-09-30 21:49 bug#24575: 25.1; TLS cert lossage Devon Sean McCullough
@ 2016-10-01 7:58 ` Eli Zaretskii
2016-10-01 8:49 ` bug#24575: (url-retrieve-synchronously "https://gnu.org") ; untrusted Devon Sean McCullough
2016-10-01 10:20 ` bug#24575: libgnutls MacOSX bug? Devon Sean McCullough
2 siblings, 0 replies; 10+ messages in thread
From: Eli Zaretskii @ 2016-10-01 7:58 UTC (permalink / raw)
To: Devon Sean McCullough; +Cc: 24575
> Date: Fri, 30 Sep 2016 16:49:55 -0500
> From: "Devon Sean McCullough" <Emacs-Hacker2016@jovi.net>
>
> url-retrieve-synchronously distrusts this perfectly good cert
> which is trusted by Emacs 24.3, Emacs 24.5 and FireFox 49.0.1:
>
> $ Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq
> debug-on-error t) (trace-function (function nsm-query-user))
> (url-retrieve-synchronously "https://HostGator.com"))'
>
> *trace-output*
> ======================================================================
> 1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the
> following reason%s:
It doesn't fail for me here, I get a buffer with the content of that
URL.
So it could be some issue with your TLS layer or the certificate
bundle.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: (url-retrieve-synchronously "https://gnu.org") ; untrusted
2016-09-30 21:49 bug#24575: 25.1; TLS cert lossage Devon Sean McCullough
2016-10-01 7:58 ` Eli Zaretskii
@ 2016-10-01 8:49 ` Devon Sean McCullough
2016-10-01 10:20 ` bug#24575: libgnutls MacOSX bug? Devon Sean McCullough
2 siblings, 0 replies; 10+ messages in thread
From: Devon Sean McCullough @ 2016-10-01 8:49 UTC (permalink / raw)
To: 24575
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug?
2016-09-30 21:49 bug#24575: 25.1; TLS cert lossage Devon Sean McCullough
2016-10-01 7:58 ` Eli Zaretskii
2016-10-01 8:49 ` bug#24575: (url-retrieve-synchronously "https://gnu.org") ; untrusted Devon Sean McCullough
@ 2016-10-01 10:20 ` Devon Sean McCullough
2016-10-01 10:45 ` Eli Zaretskii
2 siblings, 1 reply; 10+ messages in thread
From: Devon Sean McCullough @ 2016-10-01 10:20 UTC (permalink / raw)
To: 24575
Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks?
$ lsof
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
...
Emacs-x86 2568 devon cwd DIR 1,4 24004 4562405
/Users/devon
Emacs-x86 2568 devon txt REG 1,4 17858160 70328116
/Applications/Emacs.app/Contents/MacOS/Emacs-x86_64-10_9
Emacs-x86 2568 devon txt REG 1,4 1070144 70328127
/Applications/Emacs.app/Contents/MacOS/lib-x86_64-10_9/libgnutls.30.dylib
...
$ system_profiler SPSoftwareDataType
Software:
System Software Overview:
System Version: OS X 10.11.6 (15G1004)
Kernel Version: Darwin 15.6.0
...
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug?
2016-10-01 10:20 ` bug#24575: libgnutls MacOSX bug? Devon Sean McCullough
@ 2016-10-01 10:45 ` Eli Zaretskii
2016-10-01 12:07 ` npostavs
0 siblings, 1 reply; 10+ messages in thread
From: Eli Zaretskii @ 2016-10-01 10:45 UTC (permalink / raw)
To: Devon Sean McCullough; +Cc: 24575
> Date: Sat, 1 Oct 2016 05:20:31 -0500
> From: "Devon Sean McCullough" <Devon2016@jovi.net>
>
> Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks?
My Emacs is built with GnuTLS, and it doesn't show the problem.
GnuTLS uses the system's store of the certificates, so I think the
problem might be there.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug?
2016-10-01 10:45 ` Eli Zaretskii
@ 2016-10-01 12:07 ` npostavs
2017-01-24 23:35 ` Lars Ingebrigtsen
0 siblings, 1 reply; 10+ messages in thread
From: npostavs @ 2016-10-01 12:07 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 24575, Devon Sean McCullough
Eli Zaretskii <eliz@gnu.org> writes:
>> Date: Sat, 1 Oct 2016 05:20:31 -0500
>> From: "Devon Sean McCullough" <Devon2016@jovi.net>
>>
>> Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks?
>
> My Emacs is built with GnuTLS, and it doesn't show the problem.
>
> GnuTLS uses the system's store of the certificates, so I think the
> problem might be there.
I think this is a problem on the remote end. I see this problem, but
not every time. Checking with gnutls-cli it seems that that when
www.hostgator.com resolves to 50.23.69.98 it serves fewer certificates,
and fails to verify. Other machines serve more certificates and
verification succeeds.
~$ gnutls-cli www.hostgator.com
Processed 183 CA certificate(s).
Resolving 'www.hostgator.com'...
Connecting to '173.192.226.44:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `OU=Domain Control Validated,OU=Hosted by HostGator.com\, LLC.,OU=PositiveSSL Wildcard,CN=*.hostgator.com', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-16 00:00:00 UTC', expires `2018-10-15 23:59:59 UTC', SHA-1 fingerprint `1327565bd907609d8cc120fd0af53426347486c5'
Public Key ID:
75265ba9039f77c136d9519931b9c8496dd91967
Public key's random art:
+--[ RSA 2048]----+
| .=E|
| + %=|
| . o B X o|
| + O = + |
| S * . . |
| o . |
| |
| |
| |
+-----------------+
- Certificate[1] info:
- subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', SHA-1 fingerprint `339cdd57cfd5b141169b615ff31428782d1da639'
- Certificate[2] info:
- subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-CBC)-(SHA256)
- Session ID: 47:28:B2:1E:8E:60:4F:17:8C:03:4C:21:50:F0:27:82:54:4B:5F:60:31:B0:48:D5:84:08:BC:30:82:30:86:EB
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
- Peer has closed the GnuTLS connection
~$ gnutls-cli www.hostgator.com
Processed 183 CA certificate(s).
Resolving 'www.hostgator.com'...
Connecting to '50.23.69.98:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `OU=Domain Control Validated,OU=Hosted by HostGator.com\, LLC.,OU=PositiveSSL Wildcard,CN=*.hostgator.com', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-16 00:00:00 UTC', expires `2018-10-15 23:59:59 UTC', SHA-1 fingerprint `1327565bd907609d8cc120fd0af53426347486c5'
Public Key ID:
75265ba9039f77c136d9519931b9c8496dd91967
Public key's random art:
+--[ RSA 2048]----+
| .=E|
| + %=|
| . o B X o|
| + O = + |
| S * . . |
| o . |
| |
| |
| |
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug?
2016-10-01 12:07 ` npostavs
@ 2017-01-24 23:35 ` Lars Ingebrigtsen
2017-01-25 21:38 ` Devon Sean McCullough
0 siblings, 1 reply; 10+ messages in thread
From: Lars Ingebrigtsen @ 2017-01-24 23:35 UTC (permalink / raw)
To: npostavs; +Cc: 24575, Devon Sean McCullough
npostavs@users.sourceforge.net writes:
> I think this is a problem on the remote end. I see this problem, but
> not every time. Checking with gnutls-cli it seems that that when
> www.hostgator.com resolves to 50.23.69.98 it serves fewer certificates,
> and fails to verify. Other machines serve more certificates and
> verification succeeds.
So this doesn't seem to be an Emacs bug? I'm closing this report, but
feel free to reopen if it turns out to be an Emacs bug anyway.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug?
2017-01-24 23:35 ` Lars Ingebrigtsen
@ 2017-01-25 21:38 ` Devon Sean McCullough
2017-01-25 22:37 ` Glenn Morris
0 siblings, 1 reply; 10+ messages in thread
From: Devon Sean McCullough @ 2017-01-25 21:38 UTC (permalink / raw)
To: Lars Ingebrigtsen; +Cc: 24575, npostavs
> On Jan 24, 2017, at 6:35 PM, Lars Ingebrigtsen <larsi@gnus.org> wrote:
> So this doesn't seem to be an Emacs bug? I'm closing this report, but
> feel free to reopen if it turns out to be an Emacs bug anyway.
Either an Emacs bug or a cert bug at https://gnu.org.
Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq debug-on-error t) (trace-function (function nsm-query-user)) (url-retrieve-synchronously "https://gnu.org"))'
======================================================================
1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the following reason%s:
%s" ("gnu.org" 443 "s" "the certificate was signed by an unknown and therefore untrusted authority
certificate could not be verified") #("Certificate information
Issued by: Let's Encrypt Authority X3
Issued to: CN=gnu.org
Hostname: gnu.org
Public key: RSA, signature: RSA-SHA256
Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
Security level: Medium
Valid: From 2016-12-16 to 2017-03-16
" 272 278 (face bold)))
1 <- nsm-query-user: session
======================================================================
1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the following reason%s:
%s" ("www.gnu.org" 443 "s" "the certificate was signed by an unknown and therefore untrusted authority
certificate could not be verified") #("Certificate information
Issued by: Let's Encrypt Authority X3
Issued to: CN=gnu.org
Hostname: gnu.org
Public key: RSA, signature: RSA-SHA256
Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
Security level: Medium
Valid: From 2016-12-16 to 2017-03-16
" 272 278 (face bold)))
1 <- nsm-query-user: session
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug?
2017-01-25 21:38 ` Devon Sean McCullough
@ 2017-01-25 22:37 ` Glenn Morris
2017-01-25 23:57 ` npostavs
0 siblings, 1 reply; 10+ messages in thread
From: Glenn Morris @ 2017-01-25 22:37 UTC (permalink / raw)
To: Devon Sean McCullough; +Cc: 24575, Lars Ingebrigtsen, npostavs
(BTW, This seems like a duplicate of 24396?)
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug?
2017-01-25 22:37 ` Glenn Morris
@ 2017-01-25 23:57 ` npostavs
0 siblings, 0 replies; 10+ messages in thread
From: npostavs @ 2017-01-25 23:57 UTC (permalink / raw)
To: Glenn Morris; +Cc: 24575, Lars Ingebrigtsen, Devon Sean McCullough
tags 24575 notabug
quit
Glenn Morris <rgm@gnu.org> writes:
> (BTW, This seems like a duplicate of 24396?)
The case in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=24575#28
definitely looks like Bug#24396, and I can't reproduce it here on my
Arch GNU/Linux box.
For the case in the OP, I reported in
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=24575#20 being able to
reproduce the error sometimes, depending on which remote host answered.
Since it also happens with gnutls-cli, I don't believe it's an Emacs
bug. And it no longer happens for me at all, so I think it was fixed on
the remote end.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-01-25 23:57 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-30 21:49 bug#24575: 25.1; TLS cert lossage Devon Sean McCullough
2016-10-01 7:58 ` Eli Zaretskii
2016-10-01 8:49 ` bug#24575: (url-retrieve-synchronously "https://gnu.org") ; untrusted Devon Sean McCullough
2016-10-01 10:20 ` bug#24575: libgnutls MacOSX bug? Devon Sean McCullough
2016-10-01 10:45 ` Eli Zaretskii
2016-10-01 12:07 ` npostavs
2017-01-24 23:35 ` Lars Ingebrigtsen
2017-01-25 21:38 ` Devon Sean McCullough
2017-01-25 22:37 ` Glenn Morris
2017-01-25 23:57 ` npostavs
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).