Re: TLS certificate on elpa.gnu.org

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Philipp Stephani <p.stephani2@gmail.com>
To: Eli Zaretskii <eliz@gnu.org>
Cc: emacs-devel@gnu.org, Neil Okamoto <neil.okamoto@gmail.com>
Subject: Re: TLS certificate on elpa.gnu.org
Date: Sun, 04 Feb 2018 16:48:04 +0000	[thread overview]
Message-ID: <CAArVCkT=ebG9ifRYn49Rc-DL3t5jxdq2QEuV062QWgnCC=QAtQ@mail.gmail.com> (raw)
In-Reply-To: <83efm0afbq.fsf@gnu.org>

[-- Attachment #1: Type: text/plain, Size: 2352 bytes --]

Eli Zaretskii <eliz@gnu.org> schrieb am So., 4. Feb. 2018 um 17:30 Uhr:

> > From: Neil Okamoto <neil.okamoto@gmail.com>
> > Date: Sat, 3 Feb 2018 19:13:03 -0800
> >
> > elpa.gnu.org seems to be malformed in a way that causes some SSL
> analyzers to warn about “extra certs”.
> >
> > For instance https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org
> reports
> >
> > Certificates provided | 3 (3732 bytes)
> > Chain issues | Incorrect order, Extra certs
> >
> > And of the three certificates found, it appears certificate[0] and
> certificate[1] are identical. Is the duplication
> > considered "out of order?”
> >
> > Because indeed, on older variants of Ubuntu where gnutls-cli v2.12.23 is
> in use (this is the case for the
> > container infrastructure on Travis CI), we have this:
> >
> > # gnutls-cli -v
> > gnutls-cli (GnuTLS) 2.12.23
> > Packaged by Debian (2.12.23-12ubuntu2.8)
> > Copyright (C) 2012 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>.
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
>
> Isn't this an awfully old version of GnuTLS?
>

It is the version shipped with the current LTS version of Ubuntu:
https://packages.ubuntu.com/trusty/gnutls-bin


>
> > It’s causing me to introduce workarounds, such as downloading a newer
> gnutls source package and
> > compiling it locally in the Travis CI build. I would really prefer not
> to do this. It adds unnecessary time and
> > complexity to the CI setup for some Emacs packages, and (conversely) one
> can imagine other Emacs
> > package maintainers may be avoiding the complexity by not implementing
> CI for their projects.
> >
> > Can someone more knowledgable about the standards, the evolution of
> gnutls since 2.12, and the server
> > configuration of elope.gnu.org please weigh in on this?
>
> I'm not such an expert on this, but in general, security assumes
> latest versions of related software and databases.
>
>
Security requires *patched* versions, not *updated* versions. That's a big
difference. Ubuntu LTS gets security patches until the end of its lifetime,
but no bug fixes or new features. The security patches only fix
vulnerabilities.

[-- Attachment #2: Type: text/html, Size: 3362 bytes --]

next prev parent reply	other threads:[~2018-02-04 16:48 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-04  3:13 TLS certificate on elpa.gnu.org Neil Okamoto
2018-02-04 15:23 ` Clément Pit-Claudel
2018-02-04 16:29 ` Eli Zaretskii
2018-02-04 16:48   ` Philipp Stephani [this message]
2018-02-04 17:51     ` Eli Zaretskii
2018-02-04 20:11       ` Neil Okamoto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAArVCkT=ebG9ifRYn49Rc-DL3t5jxdq2QEuV062QWgnCC=QAtQ@mail.gmail.com' \
    --to=p.stephani2@gmail.com \
    --cc=eliz@gnu.org \
    --cc=emacs-devel@gnu.org \
    --cc=neil.okamoto@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).