From: Neil Okamoto <neil.okamoto@gmail.com>
To: emacs-devel@gnu.org
Subject: TLS certificate on elpa.gnu.org
Date: Sat, 3 Feb 2018 19:13:03 -0800 [thread overview]
Message-ID: <314F38A2-9B19-46C2-809A-FAFB5B5EC822@gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2145 bytes --]
elpa.gnu.org seems to be malformed in a way that causes some SSL analyzers to warn about “extra certs”.
For instance https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org <https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org> reports
Certificates provided | 3 (3732 bytes)
Chain issues | Incorrect order, Extra certs
And of the three certificates found, it appears certificate[0] and certificate[1] are identical. Is the duplication considered "out of order?”
Because indeed, on older variants of Ubuntu where gnutls-cli v2.12.23 is in use (this is the case for the container infrastructure on Travis CI), we have this:
# gnutls-cli -v
gnutls-cli (GnuTLS) 2.12.23
Packaged by Debian (2.12.23-12ubuntu2.8)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Nikos Mavrogiannopoulos.
#
# gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 443 elpa.gnu.org
Processed 148 CA certificate(s).
Resolving 'elpa.gnu.org'...
Connecting to '208.118.235.89:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Which means tools like “Cask” which invoke Emacs in batch to install dependencies from package repos like ELPA or MELPA are failing on the Travis CI infrastructure.
It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time and complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other Emacs package maintainers may be avoiding the complexity by not implementing CI for their projects.
Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the server configuration of elope.gnu.org please weigh in on this?
thanks
Neil
[-- Attachment #2: Type: text/html, Size: 6868 bytes --]
next reply other threads:[~2018-02-04 3:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-04 3:13 Neil Okamoto [this message]
2018-02-04 15:23 ` TLS certificate on elpa.gnu.org Clément Pit-Claudel
2018-02-04 16:29 ` Eli Zaretskii
2018-02-04 16:48 ` Philipp Stephani
2018-02-04 17:51 ` Eli Zaretskii
2018-02-04 20:11 ` Neil Okamoto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=314F38A2-9B19-46C2-809A-FAFB5B5EC822@gmail.com \
--to=neil.okamoto@gmail.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.