From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Zack Weinberg <zackw@panix.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#24396: 25.1;
	Doesn't trust Let's Encrypt certificates (used by MELPA)
Date: Thu, 8 Sep 2016 13:36:06 -0400
Message-ID: <CAKCAbMg8qpyVzRXMGhLE2rbe1qtw-+a-PQxUV3c0R6jJ5bt8Dg@mail.gmail.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Trace: blaine.gmane.org 1473356341 26489 195.159.176.226 (8 Sep 2016 17:39:01 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 8 Sep 2016 17:39:01 +0000 (UTC)
To: 24396@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Sep 08 19:38:56 2016
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1bi3Hs-0006RT-5T
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 Sep 2016 19:38:56 +0200
Original-Received: from localhost ([::1]:49889 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1bi3Hq-0004v4-27
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 Sep 2016 13:38:54 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:54006)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bi3G6-0003B9-76
	for bug-gnu-emacs@gnu.org; Thu, 08 Sep 2016 13:37:10 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bi3G2-0006sd-Ha
	for bug-gnu-emacs@gnu.org; Thu, 08 Sep 2016 13:37:05 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:56134)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bi3G2-0006sY-DJ
	for bug-gnu-emacs@gnu.org; Thu, 08 Sep 2016 13:37:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bi3G2-0000Ct-71
	for bug-gnu-emacs@gnu.org; Thu, 08 Sep 2016 13:37:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Zack Weinberg <zackw@panix.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 08 Sep 2016 17:37:02 +0000
Resent-Message-ID: <handler.24396.B.1473356186750@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 24396
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.1473356186750
	(code B ref -1); Thu, 08 Sep 2016 17:37:02 +0000
Original-Received: (at submit) by debbugs.gnu.org; 8 Sep 2016 17:36:26 +0000
Original-Received: from localhost ([127.0.0.1]:53846 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1bi3FP-0000By-BS
	for submit@debbugs.gnu.org; Thu, 08 Sep 2016 13:36:26 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:34562)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <zackw@panix.com>) id 1bi3FN-0000Bm-Vy
	for submit@debbugs.gnu.org; Thu, 08 Sep 2016 13:36:22 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <zackw@panix.com>) id 1bi3FH-0006kN-6T
	for submit@debbugs.gnu.org; Thu, 08 Sep 2016 13:36:16 -0400
Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:39928)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <zackw@panix.com>) id 1bi3FH-0006kJ-3M
	for submit@debbugs.gnu.org; Thu, 08 Sep 2016 13:36:15 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53741)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <zackw@panix.com>) id 1bi3FF-0002WG-GL
	for bug-gnu-emacs@gnu.org; Thu, 08 Sep 2016 13:36:14 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <zackw@panix.com>) id 1bi3FC-0006jZ-PX
	for bug-gnu-emacs@gnu.org; Thu, 08 Sep 2016 13:36:13 -0400
Original-Received: from mailbackend.panix.com ([166.84.1.89]:60349)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <zackw@panix.com>) id 1bi3FC-0006jF-LT
	for bug-gnu-emacs@gnu.org; Thu, 08 Sep 2016 13:36:10 -0400
Original-Received: from mail-wm0-f42.google.com (mail-wm0-f42.google.com [74.125.82.42])
	by mailbackend.panix.com (Postfix) with ESMTPSA id 068EF1BCA5
	for <bug-gnu-emacs@gnu.org>; Thu,  8 Sep 2016 13:36:08 -0400 (EDT)
Original-Received: by mail-wm0-f42.google.com with SMTP id b187so181832553wme.1
	for <bug-gnu-emacs@gnu.org>; Thu, 08 Sep 2016 10:36:08 -0700 (PDT)
X-Gm-Message-State: AE9vXwNaRRfGzMQIBODUhTDb/P4/TN89jIwXaUoWxbVKzYKKjXbJhKfCD5uPA0M2mz6p1ejglyDGE8MUifYyhw==
X-Received: by 10.194.246.8 with SMTP id xs8mr780838wjc.64.1473356167483; Thu,
	08 Sep 2016 10:36:07 -0700 (PDT)
Original-Received: by 10.28.36.197 with HTTP; Thu, 8 Sep 2016 10:36:06 -0700 (PDT)
X-Gmail-Original-Message-ID: <CAKCAbMg8qpyVzRXMGhLE2rbe1qtw-+a-PQxUV3c0R6jJ5bt8Dg@mail.gmail.com>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux (Android)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:123088
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/123088>

Emacs 25.1-rc2 (prebuilt for OSX, from
https://emacsformacosx.com/emacs-builds/Emacs-pretest-25.1-rc2-universal.dm=
g)
does not accept TLS certificates issued by Let's Encrypt
(https://letsencrypt.org/).  This is a particular problem because MELPA
(specifically, https://stable.melpa.org) uses such a certificate.

To observe the problem, run these Lisp commands:

---
(require 'package)
(add-to-list 'package-archives
             '("melpa-stable" . "https://stable.melpa.org/packages/"))
(package-initialize)
(package-list-packages)
---

You will get a transient *Network Security Manager* buffer reading

---
Certificate information
Issued by:          Let's Encrypt Authority X3
Issued to:          CN=3Dstable.melpa.org
Hostname:           stable.melpa.org
Public key:         RSA, signature: RSA-SHA256
Protocol:           TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
Security level:     Medium
Valid:              From 2016-09-04 to 2016-12-03


The TLS connection to stable.melpa.org:443 is insecure for the
following reasons:

the certificate was signed by an unknown and therefore untrusted authority
certificate could not be verified
---

and a prompt asking whether to continue connecting.

(Incidentally, the *Network Security Manager* buffer is deleted after
you answer the question, and C-x o or clicking in that buffer counts
as answering "no".  This makes it annoyingly difficult to capture the
contents of that buffer in order to, say, include it in a bug report.)

zw


In GNU Emacs 25.1.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21
Version 10.9.5 (Build 13F1911))
 of 2016-08-21 built on builder10-9.porkrind.org
Windowing system distributor 'Apple', version 10.3.1404
Configured using:
 'configure --with-ns '--enable-locallisppath=3D/Library/Application
 Support/Emacs/${version}/site-lisp:/Library/Application
 Support/Emacs/site-lisp''

Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Fundamental

Minor modes in effect:
  show-paren-mode: t
  shell-dirtrack-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:

Type C-x 1 to delete the help window.
Failed to download =E2=80=98melpa-stable=E2=80=99 archive.
Mark set
Package refresh done
No apropos matches for =E2=80=98security=E2=80=99

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug sendmail apropos mm-archive message
rfc822 mml mml-sec epg mailabbrev gmm-utils mailheader mm-decode
mm-bodies mm-encode url-handlers mail-utils network-stream nsm starttls
url-http tls gnutls mail-parse rfc2231 rfc2047 rfc2045 ietf-drums url-gw
url-cache url-auth url url-proxy url-privacy url-expand url-methods
url-history url-cookie url-domsuf url-util url-parse url-vars mailcap
server paren cus-start cus-load tramp tramp-compat auth-source cl-seq
eieio eieio-core cl-macs gnus-util mm-util help-fns mail-prsvr
password-cache tramp-loaddefs trampver shell pcomplete comint ansi-color
ring format-spec advice dired finder-inf package epg-config seq byte-opt
gv bytecomp byte-compile cl-extra help-mode easymenu cconv cl-loaddefs
pcase cl-lib time-date mule-util tooltip eldoc electric uniquify
ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)

Memory information:
((conses 16 239636 56351)
 (symbols 48 24300 0)
 (miscs 40 83 256)
 (strings 32 29846 8346)
 (string-bytes 1 864838)
 (vectors 16 38677)
 (vector-slots 8 714931 12891)
 (floats 8 248 88)
 (intervals 56 698 735)
 (buffers 976 22))