* TLS certificate on elpa.gnu.org
@ 2018-02-04 3:13 Neil Okamoto
2018-02-04 15:23 ` Clément Pit-Claudel
2018-02-04 16:29 ` Eli Zaretskii
0 siblings, 2 replies; 6+ messages in thread
From: Neil Okamoto @ 2018-02-04 3:13 UTC (permalink / raw)
To: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 2145 bytes --]
elpa.gnu.org seems to be malformed in a way that causes some SSL analyzers to warn about “extra certs”.
For instance https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org <https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org> reports
Certificates provided | 3 (3732 bytes)
Chain issues | Incorrect order, Extra certs
And of the three certificates found, it appears certificate[0] and certificate[1] are identical. Is the duplication considered "out of order?”
Because indeed, on older variants of Ubuntu where gnutls-cli v2.12.23 is in use (this is the case for the container infrastructure on Travis CI), we have this:
# gnutls-cli -v
gnutls-cli (GnuTLS) 2.12.23
Packaged by Debian (2.12.23-12ubuntu2.8)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Nikos Mavrogiannopoulos.
#
# gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 443 elpa.gnu.org
Processed 148 CA certificate(s).
Resolving 'elpa.gnu.org'...
Connecting to '208.118.235.89:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Which means tools like “Cask” which invoke Emacs in batch to install dependencies from package repos like ELPA or MELPA are failing on the Travis CI infrastructure.
It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time and complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other Emacs package maintainers may be avoiding the complexity by not implementing CI for their projects.
Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the server configuration of elope.gnu.org please weigh in on this?
thanks
Neil
[-- Attachment #2: Type: text/html, Size: 6868 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: TLS certificate on elpa.gnu.org
2018-02-04 3:13 TLS certificate on elpa.gnu.org Neil Okamoto
@ 2018-02-04 15:23 ` Clément Pit-Claudel
2018-02-04 16:29 ` Eli Zaretskii
1 sibling, 0 replies; 6+ messages in thread
From: Clément Pit-Claudel @ 2018-02-04 15:23 UTC (permalink / raw)
To: emacs-devel
On 2018-02-03 22:13, Neil Okamoto wrote:
> Which means tools like “Cask” which invoke Emacs in batch to install dependencies from package repos like ELPA or MELPA are failing on the Travis CI infrastructure.
Ah, thanks so much for tracking this down! I'd been wanting to track that error down for a while. Great sleuthing work!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: TLS certificate on elpa.gnu.org
2018-02-04 3:13 TLS certificate on elpa.gnu.org Neil Okamoto
2018-02-04 15:23 ` Clément Pit-Claudel
@ 2018-02-04 16:29 ` Eli Zaretskii
2018-02-04 16:48 ` Philipp Stephani
1 sibling, 1 reply; 6+ messages in thread
From: Eli Zaretskii @ 2018-02-04 16:29 UTC (permalink / raw)
To: Neil Okamoto; +Cc: emacs-devel
> From: Neil Okamoto <neil.okamoto@gmail.com>
> Date: Sat, 3 Feb 2018 19:13:03 -0800
>
> elpa.gnu.org seems to be malformed in a way that causes some SSL analyzers to warn about “extra certs”.
>
> For instance https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org reports
>
> Certificates provided | 3 (3732 bytes)
> Chain issues | Incorrect order, Extra certs
>
> And of the three certificates found, it appears certificate[0] and certificate[1] are identical. Is the duplication
> considered "out of order?”
>
> Because indeed, on older variants of Ubuntu where gnutls-cli v2.12.23 is in use (this is the case for the
> container infrastructure on Travis CI), we have this:
>
> # gnutls-cli -v
> gnutls-cli (GnuTLS) 2.12.23
> Packaged by Debian (2.12.23-12ubuntu2.8)
> Copyright (C) 2012 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
Isn't this an awfully old version of GnuTLS? I have here 3.4.15, and
it doesn't complain about the GNU ELPA certificate. It says "Status:
The certificate is trusted."
> It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and
> compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time and
> complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other Emacs
> package maintainers may be avoiding the complexity by not implementing CI for their projects.
>
> Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the server
> configuration of elope.gnu.org please weigh in on this?
I'm not such an expert on this, but in general, security assumes
latest versions of related software and databases.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: TLS certificate on elpa.gnu.org
2018-02-04 16:29 ` Eli Zaretskii
@ 2018-02-04 16:48 ` Philipp Stephani
2018-02-04 17:51 ` Eli Zaretskii
0 siblings, 1 reply; 6+ messages in thread
From: Philipp Stephani @ 2018-02-04 16:48 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: emacs-devel, Neil Okamoto
[-- Attachment #1: Type: text/plain, Size: 2352 bytes --]
Eli Zaretskii <eliz@gnu.org> schrieb am So., 4. Feb. 2018 um 17:30 Uhr:
> > From: Neil Okamoto <neil.okamoto@gmail.com>
> > Date: Sat, 3 Feb 2018 19:13:03 -0800
> >
> > elpa.gnu.org seems to be malformed in a way that causes some SSL
> analyzers to warn about “extra certs”.
> >
> > For instance https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org
> reports
> >
> > Certificates provided | 3 (3732 bytes)
> > Chain issues | Incorrect order, Extra certs
> >
> > And of the three certificates found, it appears certificate[0] and
> certificate[1] are identical. Is the duplication
> > considered "out of order?”
> >
> > Because indeed, on older variants of Ubuntu where gnutls-cli v2.12.23 is
> in use (this is the case for the
> > container infrastructure on Travis CI), we have this:
> >
> > # gnutls-cli -v
> > gnutls-cli (GnuTLS) 2.12.23
> > Packaged by Debian (2.12.23-12ubuntu2.8)
> > Copyright (C) 2012 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>.
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
>
> Isn't this an awfully old version of GnuTLS?
>
It is the version shipped with the current LTS version of Ubuntu:
https://packages.ubuntu.com/trusty/gnutls-bin
>
> > It’s causing me to introduce workarounds, such as downloading a newer
> gnutls source package and
> > compiling it locally in the Travis CI build. I would really prefer not
> to do this. It adds unnecessary time and
> > complexity to the CI setup for some Emacs packages, and (conversely) one
> can imagine other Emacs
> > package maintainers may be avoiding the complexity by not implementing
> CI for their projects.
> >
> > Can someone more knowledgable about the standards, the evolution of
> gnutls since 2.12, and the server
> > configuration of elope.gnu.org please weigh in on this?
>
> I'm not such an expert on this, but in general, security assumes
> latest versions of related software and databases.
>
>
Security requires *patched* versions, not *updated* versions. That's a big
difference. Ubuntu LTS gets security patches until the end of its lifetime,
but no bug fixes or new features. The security patches only fix
vulnerabilities.
[-- Attachment #2: Type: text/html, Size: 3362 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: TLS certificate on elpa.gnu.org
2018-02-04 16:48 ` Philipp Stephani
@ 2018-02-04 17:51 ` Eli Zaretskii
2018-02-04 20:11 ` Neil Okamoto
0 siblings, 1 reply; 6+ messages in thread
From: Eli Zaretskii @ 2018-02-04 17:51 UTC (permalink / raw)
To: Philipp Stephani; +Cc: emacs-devel, neil.okamoto
> From: Philipp Stephani <p.stephani2@gmail.com>
> Date: Sun, 04 Feb 2018 16:48:04 +0000
> Cc: Neil Okamoto <neil.okamoto@gmail.com>, emacs-devel@gnu.org
>
> Isn't this an awfully old version of GnuTLS?
>
> It is the version shipped with the current LTS version of Ubuntu: https://packages.ubuntu.com/trusty/gnutls-bin
>
>
> > It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and
> > compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time
> and
> > complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other
> Emacs
> > package maintainers may be avoiding the complexity by not implementing CI for their projects.
> >
> > Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the
> server
> > configuration of elope.gnu.org please weigh in on this?
>
> I'm not such an expert on this, but in general, security assumes
> latest versions of related software and databases.
>
> Security requires *patched* versions, not *updated* versions. That's a big difference. Ubuntu LTS gets
> security patches until the end of its lifetime, but no bug fixes or new features. The security patches only fix
> vulnerabilities.
To me, the fact that a newer version of GnuTLS doesn't show this
problem means that the issue was resolved by further development of
that package. Maybe Ubuntu needs to backport more patches?
Anyway, we can continue discussing this here to Kingdom Come, but if
we want to hear from experts, this issue should be brought on the
GnuTLS mailing list, not here.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: TLS certificate on elpa.gnu.org
2018-02-04 17:51 ` Eli Zaretskii
@ 2018-02-04 20:11 ` Neil Okamoto
0 siblings, 0 replies; 6+ messages in thread
From: Neil Okamoto @ 2018-02-04 20:11 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: Philipp Stephani, emacs-devel
[-- Attachment #1: Type: text/plain, Size: 1834 bytes --]
> On Feb 4, 2018, at 9:51 AM, Eli Zaretskii <eliz@gnu.org> wrote:
>
>> From: Philipp Stephani <p.stephani2@gmail.com>
>> Date: Sun, 04 Feb 2018 16:48:04 +0000
>> Cc: Neil Okamoto <neil.okamoto@gmail.com>, emacs-devel@gnu.org
>>
>> Isn't this an awfully old version of GnuTLS?
>>
>> It is the version shipped with the current LTS version of Ubuntu: https://packages.ubuntu.com/trusty/gnutls-bin
>>
>>
>>> It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and
>>> compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time
>> and
>>> complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other
>> Emacs
>>> package maintainers may be avoiding the complexity by not implementing CI for their projects.
>>>
>>> Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the
>> server
>>> configuration of elope.gnu.org please weigh in on this?
>>
>> I'm not such an expert on this, but in general, security assumes
>> latest versions of related software and databases.
>>
>> Security requires *patched* versions, not *updated* versions. That's a big difference. Ubuntu LTS gets
>> security patches until the end of its lifetime, but no bug fixes or new features. The security patches only fix
>> vulnerabilities.
>
> To me, the fact that a newer version of GnuTLS doesn't show this
> problem means that the issue was resolved by further development of
> that package. Maybe Ubuntu needs to backport more patches?
>
> Anyway, we can continue discussing this here to Kingdom Come, but if
> we want to hear from experts, this issue should be brought on the
> GnuTLS mailing list, not here.
Ok, I’m re-posting to gnutls-help.
[-- Attachment #2: Type: text/html, Size: 7446 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-02-04 20:11 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-04 3:13 TLS certificate on elpa.gnu.org Neil Okamoto
2018-02-04 15:23 ` Clément Pit-Claudel
2018-02-04 16:29 ` Eli Zaretskii
2018-02-04 16:48 ` Philipp Stephani
2018-02-04 17:51 ` Eli Zaretskii
2018-02-04 20:11 ` Neil Okamoto
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).