From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Ian Kelling Newsgroups: gmane.emacs.bugs Subject: bug#30555: elpa.gnu.org certificate order Date: Tue, 20 Feb 2018 13:59:44 -0500 Message-ID: <87fu5vzdun.fsf@fsf.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1519153157 4806 195.159.176.226 (20 Feb 2018 18:59:17 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 20 Feb 2018 18:59:17 +0000 (UTC) User-Agent: mu4e 1.0-alpha3; emacs 27.0.50 Cc: Sam Brightman To: 30555@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Feb 20 19:59:12 2018 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoD8C-0000h9-J3 for geb-bug-gnu-emacs@m.gmane.org; Tue, 20 Feb 2018 19:59:12 +0100 Original-Received: from localhost ([::1]:57367 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eoDAE-0003gv-NK for geb-bug-gnu-emacs@m.gmane.org; Tue, 20 Feb 2018 14:01:18 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:42262) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eoDA3-0003ef-G1 for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 14:01:11 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eoD9z-00052S-Dj for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 14:01:07 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:45300) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eoD9z-00052N-9X for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 14:01:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eoD9y-00020r-Ly for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 14:01:03 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Ian Kelling Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 20 Feb 2018 19:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 30555 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.15191532077611 (code B ref -1); Tue, 20 Feb 2018 19:01:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 20 Feb 2018 19:00:07 +0000 Original-Received: from localhost ([127.0.0.1]:53197 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoD91-0001yR-4t for submit@debbugs.gnu.org; Tue, 20 Feb 2018 14:00:06 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:50837) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoD8w-0001xZ-V0 for submit@debbugs.gnu.org; Tue, 20 Feb 2018 13:59:59 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eoD8n-0004I3-QQ for submit@debbugs.gnu.org; Tue, 20 Feb 2018 13:59:53 -0500 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:39678) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eoD8n-0004Hu-Me for submit@debbugs.gnu.org; Tue, 20 Feb 2018 13:59:49 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:41768) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eoD8m-0002v2-BE for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 13:59:49 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eoD8l-0004GM-91 for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 13:59:48 -0500 Original-Received: from mail.fsf.org ([208.118.235.13]:52015) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eoD8l-0004GC-55 for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 13:59:47 -0500 Original-Received: from li.iankelling.org ([72.14.176.105]:47908 helo=mail.iankelling.org) by mail.fsf.org with esmtpsa (TLS-1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1eoD8k-0002AY-9E; Tue, 20 Feb 2018 13:59:46 -0500 Original-Received: from iank by mail.iankelling.org with local (Exim 4.86_2) (envelope-from ) id 1eoD8i-0007pM-Oy; Tue, 20 Feb 2018 13:59:44 -0500 X-detected-operating-system: by mail.fsf.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:143503 Archived-At: I think I've found the root cause as the apache config is wrong and am going to fix this on the elpa server in the next few minutes, which I would normally not touch. Originall reported to sysadmin@gnu.org by "Sam Brightman, who i've cced I'm writing because I believe the certificate chain for elpa.gnu.org is incorrect. You can see the out-of-order chain warning on: https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&hideResults=on You can also run e.g. gnutls-cli: $ gnutls-cli elpa.gnu.org |<1>| There was a non-CA certificate in the trusted list: O=Entrust.net,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Certification Authority (2048). Processed 165 CA certificate(s). Resolving 'elpa.gnu.org:443'... Connecting to '208.118.235.89:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=elpa.gnu.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x037b6d60120d207d3270b0b184b1585921f0, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-02 10:00:36 UTC', expires `2018-03-02 10:00:36 UTC', pin-sha256="m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0=" Public Key ID: sha1:a055226618cb098619db153e7d847d0f2637b836 sha256:9b5feab8f5a9cc14cdba057a894f812d1cbf2192097b1f20819e3b48e578906d Public Key PIN: pin-sha256:m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0= Public key's random art: +--[ RSA 2048]----+ |++.o*..oo. | |+=.B o.++ * | |. = o + .* + | | + oE . | | . .S. | | | | | | | | | +-----------------+ - Certificate[1] info: - subject `CN=elpa.gnu.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x037b6d60120d207d3270b0b184b1585921f0, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-02 10:00:36 UTC', expires `2018-03-02 10:00:36 UTC', pin-sha256="m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0=" - Certificate[2] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) - Session ID: 85:4F:3F:0C:1E:14:EE:51:33:81:38:3A:C8:72:FE:2C:72:B5:93:81:C0:8A:69:10:CA:66:CC:EE:44:99:74:D5 - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA256 - Cipher: AES-256-GCM - MAC: AEAD - Compression: NULL - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: Whilst some TLS libraries will re-order/de-duplicate in this situation, at least GnuTLS prior to version 3 does not. This is a very common version for LTS distribution releases, including Travis CI. Stock Emacs with GnuTLS (<3) support cannot verify the certificate of its own package repository as a result of this. end quote. -- Ian Kelling | Senior Systems Administrator, Free Software Foundation GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF https://fsf.org | https://gnu.org