From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Philipp Stephani Newsgroups: gmane.emacs.devel Subject: Re: TLS certificate on elpa.gnu.org Date: Sun, 04 Feb 2018 16:48:04 +0000 Message-ID: References: <314F38A2-9B19-46C2-809A-FAFB5B5EC822@gmail.com> <83efm0afbq.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="f403045cb3923e2262056465b625" X-Trace: blaine.gmane.org 1517762811 25642 195.159.176.226 (4 Feb 2018 16:46:51 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 4 Feb 2018 16:46:51 +0000 (UTC) Cc: emacs-devel@gnu.org, Neil Okamoto To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Feb 04 17:46:46 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eiNQv-0005Lj-VL for ged-emacs-devel@m.gmane.org; Sun, 04 Feb 2018 17:46:26 +0100 Original-Received: from localhost ([::1]:41860 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eiNSx-0006d0-4V for ged-emacs-devel@m.gmane.org; Sun, 04 Feb 2018 11:48:31 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49268) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eiNSm-0006az-U8 for emacs-devel@gnu.org; Sun, 04 Feb 2018 11:48:22 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eiNSl-0003IQ-Io for emacs-devel@gnu.org; Sun, 04 Feb 2018 11:48:20 -0500 Original-Received: from mail-lf0-x244.google.com ([2a00:1450:4010:c07::244]:44603) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eiNSj-0003GI-BD; Sun, 04 Feb 2018 11:48:17 -0500 Original-Received: by mail-lf0-x244.google.com with SMTP id v188so38445152lfa.11; Sun, 04 Feb 2018 08:48:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/0xppxmWji8LTDeyoM9S8qq7EOrsKeOi+9KeQYZIM08=; b=GqNxt1dVSSoSxkxg1K8MdTNNzmzWesQZdrSDUVq1ByfOQoIWKMHNHWpXAxISyZuhXb KBnWKGe/cTsIlgOi1SYdpc5faKJ9AS3WfABHlUwIaqw//P46zEkwXk9mWZg5wQpVSmO2 EpFCXBw+Arl+urarLcgDPo4mB2gqU8I26BCujeerbMOectg+90QEnHO3327axXU+ShBw gAroSqpqfa5dCOVhqdG600zkYfh7sa1B5eSQlY18Zl5PPwAhW7j2aErwLV4iUxNVSYIS LODdWgl3kHkqvXuLfraJJezNNSv2exWYveP1ys+dHMCFnmIHc4S37exmPivcoVewHWwD t5sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/0xppxmWji8LTDeyoM9S8qq7EOrsKeOi+9KeQYZIM08=; b=D1x9K4kOcC7coHajQplQi6Hm8lHFBC4ZQCxmYQJNBiuFMFvEUVd6TLIsKMS9q5DMIV g5upWwE2Y1Ya95cQzknXM+qQbCx79zbI6BBavOLxZNfpKM/ZxxQGgPFuV6G/zb+gLsis hTT9LcEF3HDvt9dVkcY5JVBuvjVIg/nEzGL5ymMI1xaWA4/4tRWjZszu9UzsB/D5538Y B+43+MVP6Rw7Nq0nbhAMW+2/BYqwU5tCrscsfgiB2k1rRHSVFpG4mniSYIjFD935FFme FHpVhT5FusAlYGjKnXLw1VpY/9MMceRX6+goVMIjm0/YBkHYXhm9CfDgeikE+Gp4u6rM 7rqA== X-Gm-Message-State: AKwxytfHwRNdFDG1cBn6Ngl9O5yMu39Wvy8/khxxNEwlSNN6VKn9zQf+ 4uHxvRnUG2absOv8ph9UoWhU8qVQYbagfmfoopRNMw== X-Google-Smtp-Source: AH8x227PRucZWTIYsT9yAOjgjRJGCZddRepotbhb/Ud6gBryFovT5Glfw83rDw0M1PL9XakAte+66LqJJ05NWBkdp0E= X-Received: by 10.25.90.200 with SMTP id y69mr26096587lfk.138.1517762895551; Sun, 04 Feb 2018 08:48:15 -0800 (PST) In-Reply-To: <83efm0afbq.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4010:c07::244 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:222509 Archived-At: --f403045cb3923e2262056465b625 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Eli Zaretskii schrieb am So., 4. Feb. 2018 um 17:30 Uhr: > > From: Neil Okamoto > > Date: Sat, 3 Feb 2018 19:13:03 -0800 > > > > elpa.gnu.org seems to be malformed in a way that causes some SSL > analyzers to warn about =E2=80=9Cextra certs=E2=80=9D. > > > > For instance https://www.ssllabs.com/ssltest/analyze.html?d=3Delpa.gnu.= org > reports > > > > Certificates provided | 3 (3732 bytes) > > Chain issues | Incorrect order, Extra certs > > > > And of the three certificates found, it appears certificate[0] and > certificate[1] are identical. Is the duplication > > considered "out of order?=E2=80=9D > > > > Because indeed, on older variants of Ubuntu where gnutls-cli v2.12.23 i= s > in use (this is the case for the > > container infrastructure on Travis CI), we have this: > > > > # gnutls-cli -v > > gnutls-cli (GnuTLS) 2.12.23 > > Packaged by Debian (2.12.23-12ubuntu2.8) > > Copyright (C) 2012 Free Software Foundation, Inc. > > License GPLv3+: GNU GPL version 3 or later < > http://gnu.org/licenses/gpl.html>. > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. > > Isn't this an awfully old version of GnuTLS? > It is the version shipped with the current LTS version of Ubuntu: https://packages.ubuntu.com/trusty/gnutls-bin > > > It=E2=80=99s causing me to introduce workarounds, such as downloading a= newer > gnutls source package and > > compiling it locally in the Travis CI build. I would really prefer not > to do this. It adds unnecessary time and > > complexity to the CI setup for some Emacs packages, and (conversely) on= e > can imagine other Emacs > > package maintainers may be avoiding the complexity by not implementing > CI for their projects. > > > > Can someone more knowledgable about the standards, the evolution of > gnutls since 2.12, and the server > > configuration of elope.gnu.org please weigh in on this? > > I'm not such an expert on this, but in general, security assumes > latest versions of related software and databases. > > Security requires *patched* versions, not *updated* versions. That's a big difference. Ubuntu LTS gets security patches until the end of its lifetime, but no bug fixes or new features. The security patches only fix vulnerabilities. --f403045cb3923e2262056465b625 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


Eli Za= retskii <eliz@gnu.org> schrieb am= So., 4. Feb. 2018 um 17:30=C2=A0Uhr:
> From: Neil Okamoto <neil.okamoto@gmail.com>
> Date: Sat, 3 Feb 2018 19:13:03 -0800
>
> e= lpa.gnu.org seems to be malformed in a way that causes some SSL analyze= rs to warn about =E2=80=9Cextra certs=E2=80=9D.
>
> For instance https://www.ssllabs.c= om/ssltest/analyze.html?d=3Delpa.gnu.org reports
>
> Certificates provided | 3 (3732 bytes)
> Chain issues | Incorrect order, Extra certs
>
> And of the three certificates found, it appears certificate[0] and cer= tificate[1] are identical. Is the duplication
> considered "out of order?=E2=80=9D
>
> Because indeed, on older variants of Ubuntu where gnutls-cli v2.12.23 = is in use (this is the case for the
> container infrastructure on Travis CI), we have this:
>
> # gnutls-cli -v
> gnutls-cli (GnuTLS) 2.12.23
> Packaged by Debian (2.12.23-12ubuntu2.8)
> Copyright (C) 2012 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/l= icenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.

Isn't this an awfully old version of GnuTLS?=C2=A0

It is the version shipped with the current LTS version of U= buntu:=C2=A0https= ://packages.ubuntu.com/trusty/gnutls-bin
=C2=A0

> It=E2=80=99s causing me to introduce workarounds, such as downloading = a newer gnutls source package and
> compiling it locally in the Travis CI build. I would really prefer not= to do this. It adds unnecessary time and
> complexity to the CI setup for some Emacs packages, and (conversely) o= ne can imagine other Emacs
> package maintainers may be avoiding the complexity by not implementing= CI for their projects.
>
> Can someone more knowledgable about the standards, the evolution of gn= utls since 2.12, and the server
> configuration of elope.gnu.org please weigh in on this?

I'm not such an expert on this, but in general, security assumes
latest versions of related software and databases.


Security requires *patched* versions, = not *updated* versions. That's a big difference. Ubuntu LTS gets securi= ty patches until the end of its lifetime, but no bug fixes or new features.= The security patches only fix vulnerabilities.=C2=A0
--f403045cb3923e2262056465b625--