unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
From: Ian Kelling <iank@fsf.org>
To: 30555@debbugs.gnu.org
Cc: Sam Brightman <samghost@mpx.net>
Subject: bug#30555: elpa.gnu.org certificate order
Date: Tue, 20 Feb 2018 13:59:44 -0500	[thread overview]
Message-ID: <87fu5vzdun.fsf@fsf.org> (raw)

I think I've found the root cause as the apache config is wrong and am
going to fix this on the elpa server in the next few minutes, which I would
normally not touch.

Originall reported to sysadmin@gnu.org by "Sam Brightman, who i've cced

I'm writing because I believe the certificate chain for elpa.gnu.org is
incorrect. You can see the out-of-order chain warning on:

https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&hideResults=on

You can also run e.g. gnutls-cli:

$ gnutls-cli elpa.gnu.org
|<1>| There was a non-CA certificate in the trusted list:
O=Entrust.net,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Certification
Authority (2048).
Processed 165 CA certificate(s).
Resolving 'elpa.gnu.org:443'...
Connecting to '208.118.235.89:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=elpa.gnu.org', issuer `CN=Let's Encrypt Authority
X3,O=Let's Encrypt,C=US', serial 0x037b6d60120d207d3270b0b184b1585921f0,
RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-02
10:00:36 UTC', expires `2018-03-02 10:00:36 UTC',
pin-sha256="m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0="
Public Key ID:
sha1:a055226618cb098619db153e7d847d0f2637b836
sha256:9b5feab8f5a9cc14cdba057a894f812d1cbf2192097b1f20819e3b48e578906d
Public Key PIN:
pin-sha256:m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0=
Public key's random art:
+--[ RSA 2048]----+
|++.o*..oo. |
|+=.B o.++ * |
|. = o + .* + |
| + oE . |
| . .S. |
| |
| |
| |
| |
+-----------------+

- Certificate[1] info:
- subject `CN=elpa.gnu.org', issuer `CN=Let's Encrypt Authority
X3,O=Let's Encrypt,C=US', serial 0x037b6d60120d207d3270b0b184b1585921f0,
RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-02
10:00:36 UTC', expires `2018-03-02 10:00:36 UTC',
pin-sha256="m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0="
- Certificate[2] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer
`CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using
RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17
16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID:
85:4F:3F:0C:1E:14:EE:51:33:81:38:3A:C8:72:FE:2C:72:B5:93:81:C0:8A:69:10:CA:66:CC:EE:44:99:74:D5
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:

Whilst some TLS libraries will re-order/de-duplicate in this situation,
at least GnuTLS prior to version 3 does not. This is a very common
version for LTS distribution releases, including Travis CI. Stock Emacs
with GnuTLS (<3) support cannot verify the certificate of its own
package repository as a result of this.


end quote.

-- 
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org





             reply	other threads:[~2018-02-20 18:59 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-20 18:59 Ian Kelling [this message]
2018-02-20 19:16 ` bug#30555: fixed on the server Ian Kelling

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87fu5vzdun.fsf@fsf.org \
    --to=iank@fsf.org \
    --cc=30555@debbugs.gnu.org \
    --cc=samghost@mpx.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).