* bug#24575: 25.1; TLS cert lossage @ 2016-09-30 21:49 Devon Sean McCullough 2016-10-01 7:58 ` Eli Zaretskii ` (2 more replies) 0 siblings, 3 replies; 10+ messages in thread From: Devon Sean McCullough @ 2016-09-30 21:49 UTC (permalink / raw) To: 24575 url-retrieve-synchronously distrusts this perfectly good cert which is trusted by Emacs 24.3, Emacs 24.5 and FireFox 49.0.1: $ Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq debug-on-error t) (trace-function (function nsm-query-user)) (url-retrieve-synchronously "https://HostGator.com"))' *trace-output* ====================================================================== 1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the following reason%s: %s" ("hostgator.com" 443 "s" "the certificate was signed by an unknown and therefore untrusted authority certificate could not be verified") #("Certificate information Issued by: COMODO RSA Domain Validation Secure Server CA Issued to: Domain Control Validated Hostname: *.hostgator.com Public key: RSA, signature: RSA-SHA256 Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-CBC, mac: SHA256 Security level: Medium Valid: From 2015-10-16 to 2018-10-15 " 315 321 (face bold))) 1 <- nsm-query-user: no *Backtrace* Debugger entered--Lisp error: (error "Could not create connection to hostgator.com:443") signal(error ("Could not create connection to hostgator.com:443")) error("Could not create connection to %s:%d" "hostgator.com" 443) url-http([cl-struct-url "https" nil nil "hostgator.com" nil "" nil nil t nil t] #[128 "\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil) (nil) url-debug retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn &rest IGNORED)"] (nil) nil tls) url-https([cl-struct-url "https" nil nil "hostgator.com" nil "" nil nil t nil t] #[128 "\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil) (nil) url-debug retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn &rest IGNORED)"] (nil)) url-retrieve-internal("https://HostGator.com" #[128 "\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil) (nil) url-debug retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn &rest IGNORED)"] (nil) nil nil) url-retrieve("https://HostGator.com" #[128 "\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil) (nil) url-debug retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn &rest IGNORED)"] nil nil nil) url-retrieve-synchronously("https://HostGator.com") (progn (setq debug-on-error t) (trace-function (function nsm-query-user)) (url-retrieve-synchronously "https://HostGator.com")) eval((progn (setq debug-on-error t) (trace-function (function nsm-query-user)) (url-retrieve-synchronously "https://HostGator.com"))) command-line-1(("--eval" "(progn (setq debug-on-error t) (trace-function (function nsm-query-user)) (url-retrieve-synchronously \"https://HostGator.com\"))")) command-line() normal-top-level() $ Open https://HostGator.com # FireFox 49.0.1 accepts the cert without question and can export the chain to a PEM file: $ awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {cert = cert "\n" $0}; /END CERTIFICATE/ {system ("OpenSSL x509 -text <<.\n" cert "\n.\n"); cert = ""}' < '*.hostgator.com.crt' Certificate: Data: Version: 3 (0x2) Serial Number: cb:66:63:4e:f1:c6:d1:71:40:ab:7d:99:b5:4c:16:de Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Oct 16 00:00:00 2015 GMT Not After : Oct 15 23:59:59 2018 GMT Subject: OU=Domain Control Validated, OU=Hosted by HostGator.com, LLC., OU=PositiveSSL Wildcard, CN=*.hostgator.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c7:a5:32:1b:d3:af:0a:81:a6:60:da:87:80:e8: 71:b4:2d:8f:4f:5b:5c:e3:75:b5:f5:ae:01:21:f7: e5:ca:f3:8b:64:fd:d8:d7:09:ec:c0:b8:b1:3e:ed: 8d:13:b6:fa:69:ff:10:c0:30:e1:ea:8e:23:ba:4d: a3:f9:d7:b7:ca:b9:a4:df:76:a6:37:b9:c0:ea:44: 4c:db:f0:60:45:ea:1c:47:b7:26:33:f7:e6:3b:70: 42:94:6c:d9:29:4d:9f:f5:42:46:db:96:65:40:f4: 24:8a:34:2d:f8:84:99:98:ac:40:d4:27:11:b7:0d: 11:0b:c2:ed:77:cb:e6:93:7c:99:5a:6a:f6:eb:f1: 02:f8:26:d9:9a:15:b7:8e:2d:a0:dc:d8:f4:5c:ce: ef:20:a2:49:0f:b6:69:ab:e7:dc:21:5d:46:64:2c: 34:1b:81:74:9c:d6:2f:d5:05:fd:77:df:d7:3f:97: 80:49:b7:81:52:7d:1c:be:9b:ce:3d:3e:2d:96:5b: 1f:04:2c:62:ff:c4:1c:f8:e3:ab:4d:40:49:81:32: e1:81:df:7c:1c:39:15:55:cf:47:19:35:a0:4d:cd: 7e:ef:b0:be:31:74:15:52:8d:d7:d2:7e:e6:9e:87: 9a:87:8c:62:b6:0d:8a:f8:cb:60:08:f7:d9:e8:22: 5e:5f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Subject Key Identifier: CE:54:03:B4:98:00:7C:DE:70:72:6C:9C:D4:BE:39:01:FE:31:EE:C3 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: DNS:*.hostgator.com, DNS:hostgator.com Signature Algorithm: sha256WithRSAEncryption 2b:89:cf:de:f6:af:78:80:0c:dd:cb:d8:39:ee:bf:41:3a:5c: a1:64:95:5e:cd:b5:25:b6:fc:e2:07:73:ab:05:d3:26:35:70: 12:93:2d:4e:ca:61:35:4e:6c:12:e6:ed:f1:46:cf:ac:60:c1: bf:7c:dd:82:f2:54:e5:55:53:95:05:84:d4:36:7d:45:9d:b9: 87:32:c9:35:79:58:cc:89:1d:54:b2:be:33:21:46:af:98:05: 2a:8a:58:c2:64:b4:13:b8:ea:ce:b1:4b:d5:95:2b:2e:b2:ac: a5:fd:dc:7f:91:b6:a1:8f:d0:6f:bb:da:23:73:d7:3f:44:c9: c2:50:d6:4e:d0:b8:0d:91:95:9f:63:f4:46:ab:18:c8:b1:6c: cd:3d:35:64:24:dd:96:f4:2e:54:13:6a:33:c9:d0:ed:e3:47: 9b:ba:56:d9:52:ef:3c:42:40:26:e3:c7:4f:93:04:88:f7:4c: 12:67:1a:35:28:a5:c8:8a:63:36:7a:5b:4e:af:42:c6:e8:14: e9:12:4b:8c:a5:23:fb:6d:fe:03:b9:66:fc:7e:a0:5f:cd:99: a1:bc:b6:70:25:75:9a:15:d5:a2:c4:a5:ea:ba:2b:84:74:a7: ef:cd:0a:12:8a:10:0c:82:eb:ba:2c:c8:c1:08:4f:b5:1e:85: 88:a7:ae:eb -----BEGIN CERTIFICATE----- MIIFfjCCBGagAwIBAgIRAMtmY07xxtFxQKt9mbVMFt4wDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTUxMDE2MDAwMDAwWhcNMTgxMDE1MjM1OTU5WjCBhDEhMB8GA1UECxMY RG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSYwJAYDVQQLEx1Ib3N0ZWQgYnkgSG9z dEdhdG9yLmNvbSwgTExDLjEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQx GDAWBgNVBAMMDyouaG9zdGdhdG9yLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMelMhvTrwqBpmDah4DocbQtj09bXON1tfWuASH35crzi2T92NcJ 7MC4sT7tjRO2+mn/EMAw4eqOI7pNo/nXt8q5pN92pje5wOpETNvwYEXqHEe3JjP3 5jtwQpRs2SlNn/VCRtuWZUD0JIo0LfiEmZisQNQnEbcNEQvC7XfL5pN8mVpq9uvx Avgm2ZoVt44toNzY9FzO7yCiSQ+2aavn3CFdRmQsNBuBdJzWL9UF/Xff1z+XgEm3 gVJ9HL6bzj0+LZZbHwQsYv/EHPjjq01ASYEy4YHffBw5FVXPRxk1oE3Nfu+wvjF0 FVKN19J+5p6HmoeMYrYNivjLYAj32egiXl8CAwEAAaOCAdswggHXMB8GA1UdIwQY MBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBTOVAO0mAB83nBybJzU vjkB/jHuwzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzAr MCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZn gQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYI KwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNv bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQG CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wKQYDVR0RBCIwIIIP Ki5ob3N0Z2F0b3IuY29tgg1ob3N0Z2F0b3IuY29tMA0GCSqGSIb3DQEBCwUAA4IB AQAric/e9q94gAzdy9g57r9BOlyhZJVezbUltvziB3OrBdMmNXASky1OymE1TmwS 5u3xRs+sYMG/fN2C8lTlVVOVBYTUNn1FnbmHMsk1eVjMiR1Usr4zIUavmAUqiljC ZLQTuOrOsUvVlSsusqyl/dx/kbahj9Bvu9ojc9c/RMnCUNZO0LgNkZWfY/RGqxjI sWzNPTVkJN2W9C5UE2ozydDt40ebulbZUu88QkAm48dPkwSI90wSZxo1KKXIimM2 eltOr0LG6BTpEkuMpSP7bf4DuWb8fqBfzZmhvLZwJXWaFdWixKXquiuEdKfvzQoS ihAMguu6LMjBCE+1HoWIp67r -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07 Signature Algorithm: sha384WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Validity Not Before: Feb 12 00:00:00 2014 GMT Not After : Feb 11 23:59:59 2029 GMT Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd: 01:d0:d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0: c0:0c:02:7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86: f9:e3:06:9c:3e:0b:81:8a:9b:49:1b:ad:03:be:fa: 4b:db:8c:20:ed:d5:ce:5e:65:8e:3e:0d:af:4c:c2: b0:b7:45:5e:52:2f:34:de:48:24:64:b4:41:ae:00: 97:f7:be:67:de:9e:d0:7a:a7:53:80:3b:7c:ad:f5: 96:55:6f:97:47:0a:7c:85:8b:22:97:8d:b3:84:e0: 96:57:d0:70:18:60:96:8f:ee:2d:07:93:9d:a1:ba: ca:d1:cd:7b:e9:c4:2a:9a:28:21:91:4d:6f:92:4f: 25:a5:f2:7a:35:dd:26:dc:46:a5:d0:ac:59:35:8c: ff:4e:91:43:50:3f:59:93:1e:6c:51:21:ee:58:14: ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b:98:bc: e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27:51: 45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8: cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2: 41:0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85: 82:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 X509v3 Subject Key Identifier: 90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: X509v3 Any Policy Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt OCSP - URI:http://ocsp.comodoca.com Signature Algorithm: sha384WithRSAEncryption 4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c:d6:44: 9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2:35:bc:fa:f6: dd:95:8e:99:35:98:0e:36:18:75:b1:dd:dd:50:72:7c:ae:dc: 77:88:ce:0f:f7:90:20:ca:a3:67:2e:1f:56:7f:7b:e1:44:ea: 42:95:c4:5d:0d:01:50:46:15:f2:81:89:59:6c:8a:dd:8c:f1: 12:a1:8d:3a:42:8a:98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b: 72:9d:63:74:58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37: ef:10:45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c: 9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77:68:96: d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04:43:28:e9:16: fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b:6c:72:a2:94:f8:42: 1a:df:ed:6f:06:8c:45:c2:06:00:aa:e4:e8:dc:d9:b5:e1:73: 78:ec:f6:23:dc:d1:dd:6c:8e:1a:8f:a5:ea:54:7c:96:b7:c3: fe:55:8e:8d:49:5e:fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0: 48:f1:62:82:10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f: 94:05:96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8: a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a:fb:97: e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31:e5:0e:57:2d: 5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6:b5:39:c1:f5:98:43: ff:ee:f9:a7:a7:fd:ee:ca:24:3d:80:16:c4:17:8f:8a:c1:60: a1:0c:ae:5b:43:47:91:4b:d5:9a:17:5f:f9:d4:87:c1:c2:8c: b7:e7:e2:0f:30:19:37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae: fd:0f:24:51:94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed: 0e:dd:ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5: 1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66:24:37: 90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28:6a:44:70:26: 23:62:a9:9f:86:6f:bf:ba:90:70:d2:56:77:85:78:ef:ea:25: a9:17:ce:50:72:8c:00:3a:aa:e3:db:63:34:9f:f8:06:71:01: e2:82:20:d4:fe:6f:bd:b1 -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0 Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6 ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51 UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/ e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4 HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf +AZxAeKCINT+b72x -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d Signature Algorithm: sha384WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Validity Not Before: Jan 19 00:00:00 2010 GMT Not After : Jan 18 23:59:59 2038 GMT Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf: 44:67:74:99:2b:37:a3:7d:23:70:00:71:bc:53:df: c4:fa:2a:12:8f:4b:7f:10:56:bd:9f:70:72:b7:61: 7f:c9:4b:0f:17:a7:3d:e3:b0:04:61:ee:ff:11:97: c7:f4:86:3e:0a:fa:3e:5c:f9:93:e6:34:7a:d9:14: 6b:e7:9c:b3:85:a0:82:7a:76:af:71:90:d7:ec:fd: 0d:fa:9c:6c:fa:df:b0:82:f4:14:7e:f9:be:c4:a6: 2f:4f:7f:99:7f:b5:fc:67:43:72:bd:0c:00:d6:89: eb:6b:2c:d3:ed:8f:98:1c:14:ab:7e:e5:e3:6e:fc: d8:a8:e4:92:24:da:43:6b:62:b8:55:fd:ea:c1:bc: 6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69:99:f8:78:48: 30:45:d5:ad:e1:0d:3c:45:60:fc:32:96:51:27:bc: 67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1:1f:65: de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8:cc: 81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c: 22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d: 3e:99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b: b6:5c:af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b: af:45:99:e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa: ff:49:58:be:f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8: f4:0b:3a:f9:e8:43:42:1e:89:d8:84:cb:13:f1:d9: bb:e1:89:60:b8:8c:28:56:ac:14:1d:9c:0a:e7:71: eb:cf:0e:dd:3d:a9:96:a1:48:bd:3c:f7:af:b5:0d: 22:4c:c0:11:81:ec:56:3b:f6:d3:a2:e2:5b:b7:b2: 04:22:52:95:80:93:69:e8:8e:4c:65:f1:91:03:2d: 70:74:02:ea:8b:67:15:29:69:52:02:bb:d7:df:50: 6a:55:46:bf:a0:a3:28:61:7f:70:d0:c3:a2:aa:2c: 21:aa:47:ce:28:9c:06:45:76:bf:82:18:27:b4:d5: ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6:df:16: 86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a:2e: 5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7: 31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a: 98:aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41: e5:ed:1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47: e5:84:53 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha384WithRSAEncryption 0a:f1:d5:46:84:b7:ae:51:bb:6c:b2:4d:41:14:00:93:4c:9c: cb:e5:c0:54:cf:a0:25:8e:02:f9:fd:b0:a2:0d:f5:20:98:3c: 13:2d:ac:56:a2:b0:d6:7e:11:92:e9:2e:ba:9e:2e:9a:72:b1: bd:19:44:6c:61:35:a2:9a:b4:16:12:69:5a:8c:e1:d7:3e:a4: 1a:e8:2f:03:f4:ae:61:1d:10:1b:2a:a4:8b:7a:c5:fe:05:a6: e1:c0:d6:c8:fe:9e:ae:8f:2b:ba:3d:99:f8:d8:73:09:58:46: 6e:a6:9c:f4:d7:27:d3:95:da:37:83:72:1c:d3:73:e0:a2:47: 99:03:38:5d:d5:49:79:00:29:1c:c7:ec:9b:20:1c:07:24:69: 57:78:b2:39:fc:3a:84:a0:b5:9c:7c:8d:bf:2e:93:62:27:b7: 39:da:17:18:ae:bd:3c:09:68:ff:84:9b:3c:d5:d6:0b:03:e3: 57:9e:14:f7:d1:eb:4f:c8:bd:87:23:b7:b6:49:43:79:85:5c: ba:eb:92:0b:a1:c6:e8:68:a8:4c:16:b1:1a:99:0a:e8:53:2c: 92:bb:a1:09:18:75:0c:65:a8:7b:cb:23:b7:1a:c2:28:85:c3: 1b:ff:d0:2b:62:ef:a4:7b:09:91:98:67:8c:14:01:cd:68:06: 6a:63:21:75:03:80:88:8a:6e:81:c6:85:f2:a9:a4:2d:e7:f4: a5:24:10:47:83:ca:cd:f4:8d:79:58:b1:06:9b:e7:1a:2a:d9: 9d:01:d7:94:7d:ed:03:4a:ca:f0:db:e8:a9:01:3e:f5:56:99: c9:1e:8e:49:3d:bb:e5:09:b9:e0:4f:49:92:3d:16:82:40:cc: cc:59:c6:e6:3a:ed:12:2e:69:3c:6c:95:b1:fd:aa:1d:7b:7f: 86:be:1e:0e:32:46:fb:fb:13:8f:75:7f:4c:8b:4b:46:63:fe: 00:34:40:70:c1:c3:b9:a1:dd:a6:70:e2:04:b3:41:bc:e9:80: 91:ea:64:9c:7a:e1:22:03:a9:9c:6e:6f:0e:65:4f:6c:87:87: 5e:f3:6e:a0:f9:75:a5:9b:40:e8:53:b2:27:9d:4a:b9:c0:77: 21:8d:ff:87:f2:de:bc:8c:ef:17:df:b7:49:0b:d1:f2:6e:30: 0b:1a:0e:4e:76:ed:11:fc:f5:e9:56:b2:7d:bf:c7:6d:0a:93: 8c:a5:d0:c0:b6:1d:be:3a:4e:94:a2:d7:6e:6c:0b:c2:8a:7c: fa:20:f3:c4:e4:e5:cd:0d:a8:cb:91:92:b1:7c:85:ec:b5:14: 69:66:0e:82:e7:cd:ce:c8:2d:a6:51:7f:21:c1:35:53:85:06: 4a:5d:9f:ad:bb:1b:5f:74 -----BEGIN CERTIFICATE----- MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5 MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR 6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC 9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV /erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z +pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB /wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM 4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV 2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl 0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB NVOFBkpdn627G190 -----END CERTIFICATE----- In GNU Emacs 25.1.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version 10.9.5 (Build 13F1911)) of 2016-09-20 built on builder10-9.porkrind.org Windowing system distributor 'Apple', version 10.3.1404 Configured using: 'configure --with-ns '--enable-locallisppath=/Library/Application Support/Emacs/${version}/site-lisp:/Library/Application Support/Emacs/site-lisp' --with-modules' Configured features: NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES Important settings: value of $LANG: en_US.UTF-8 locale-coding-system: utf-8-unix Major mode: Fundamental Minor modes in effect: tooltip-mode: t global-eldoc-mode: t electric-indent-mode: t mouse-wheel-mode: t tool-bar-mode: t menu-bar-mode: t file-name-shadow-mode: t global-font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t transient-mark-mode: t Recent messages: For information about GNU Emacs and the GNU system, type C-h C-a. Contacting host: hostgator.com:443 Type C-x 1 to delete the help window. Entering debugger... Mark set [4 times] Saved text until "1 (face bold))) 1 <- nsm-query-user: no " Load-path shadows: None found. Features: (shadow sort mail-extr emacsbug message dired format-spec rfc822 mml mml-sec epg epg-config mm-decode mm-bodies mm-encode mailabbrev gmm-utils mailheader sendmail mail-utils debug network-stream nsm starttls url-http tls gnutls mail-parse rfc2231 rfc2047 rfc2045 ietf-drums url-gw url-cache url-auth url url-proxy url-privacy url-expand url-methods url-history url-cookie url-domsuf url-util url-parse auth-source cl-seq eieio byte-opt bytecomp byte-compile cl-extra cconv eieio-core cl-macs gv gnus-util mm-util help-fns help-mode easymenu cl-loaddefs pcase cl-lib mail-prsvr password-cache url-vars mailcap trace time-date mule-util tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize term/common-win tool-bar dnd fontset image regexp-opt fringe tabulated-list newcomment elisp-mode lisp-mode prog-mode register page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote kqueue cocoa ns multi-tty make-network-process emacs) Memory information: ((conses 16 212415 6685) (symbols 48 21416 0) (miscs 40 85 166) (strings 32 21102 6674) (string-bytes 1 614300) (vectors 16 35417) (vector-slots 8 679626 6101) (floats 8 206 185) (intervals 56 352 4) (buffers 976 20)) ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: 25.1; TLS cert lossage 2016-09-30 21:49 bug#24575: 25.1; TLS cert lossage Devon Sean McCullough @ 2016-10-01 7:58 ` Eli Zaretskii 2016-10-01 8:49 ` bug#24575: (url-retrieve-synchronously "https://gnu.org") ; untrusted Devon Sean McCullough 2016-10-01 10:20 ` bug#24575: libgnutls MacOSX bug? Devon Sean McCullough 2 siblings, 0 replies; 10+ messages in thread From: Eli Zaretskii @ 2016-10-01 7:58 UTC (permalink / raw) To: Devon Sean McCullough; +Cc: 24575 > Date: Fri, 30 Sep 2016 16:49:55 -0500 > From: "Devon Sean McCullough" <Emacs-Hacker2016@jovi.net> > > url-retrieve-synchronously distrusts this perfectly good cert > which is trusted by Emacs 24.3, Emacs 24.5 and FireFox 49.0.1: > > $ Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq > debug-on-error t) (trace-function (function nsm-query-user)) > (url-retrieve-synchronously "https://HostGator.com"))' > > *trace-output* > ====================================================================== > 1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the > following reason%s: It doesn't fail for me here, I get a buffer with the content of that URL. So it could be some issue with your TLS layer or the certificate bundle. ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: (url-retrieve-synchronously "https://gnu.org") ; untrusted 2016-09-30 21:49 bug#24575: 25.1; TLS cert lossage Devon Sean McCullough 2016-10-01 7:58 ` Eli Zaretskii @ 2016-10-01 8:49 ` Devon Sean McCullough 2016-10-01 10:20 ` bug#24575: libgnutls MacOSX bug? Devon Sean McCullough 2 siblings, 0 replies; 10+ messages in thread From: Devon Sean McCullough @ 2016-10-01 8:49 UTC (permalink / raw) To: 24575 ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug? 2016-09-30 21:49 bug#24575: 25.1; TLS cert lossage Devon Sean McCullough 2016-10-01 7:58 ` Eli Zaretskii 2016-10-01 8:49 ` bug#24575: (url-retrieve-synchronously "https://gnu.org") ; untrusted Devon Sean McCullough @ 2016-10-01 10:20 ` Devon Sean McCullough 2016-10-01 10:45 ` Eli Zaretskii 2 siblings, 1 reply; 10+ messages in thread From: Devon Sean McCullough @ 2016-10-01 10:20 UTC (permalink / raw) To: 24575 Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks? $ lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ... Emacs-x86 2568 devon cwd DIR 1,4 24004 4562405 /Users/devon Emacs-x86 2568 devon txt REG 1,4 17858160 70328116 /Applications/Emacs.app/Contents/MacOS/Emacs-x86_64-10_9 Emacs-x86 2568 devon txt REG 1,4 1070144 70328127 /Applications/Emacs.app/Contents/MacOS/lib-x86_64-10_9/libgnutls.30.dylib ... $ system_profiler SPSoftwareDataType Software: System Software Overview: System Version: OS X 10.11.6 (15G1004) Kernel Version: Darwin 15.6.0 ... ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug? 2016-10-01 10:20 ` bug#24575: libgnutls MacOSX bug? Devon Sean McCullough @ 2016-10-01 10:45 ` Eli Zaretskii 2016-10-01 12:07 ` npostavs 0 siblings, 1 reply; 10+ messages in thread From: Eli Zaretskii @ 2016-10-01 10:45 UTC (permalink / raw) To: Devon Sean McCullough; +Cc: 24575 > Date: Sat, 1 Oct 2016 05:20:31 -0500 > From: "Devon Sean McCullough" <Devon2016@jovi.net> > > Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks? My Emacs is built with GnuTLS, and it doesn't show the problem. GnuTLS uses the system's store of the certificates, so I think the problem might be there. ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug? 2016-10-01 10:45 ` Eli Zaretskii @ 2016-10-01 12:07 ` npostavs 2017-01-24 23:35 ` Lars Ingebrigtsen 0 siblings, 1 reply; 10+ messages in thread From: npostavs @ 2016-10-01 12:07 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 24575, Devon Sean McCullough Eli Zaretskii <eliz@gnu.org> writes: >> Date: Sat, 1 Oct 2016 05:20:31 -0500 >> From: "Devon Sean McCullough" <Devon2016@jovi.net> >> >> Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks? > > My Emacs is built with GnuTLS, and it doesn't show the problem. > > GnuTLS uses the system's store of the certificates, so I think the > problem might be there. I think this is a problem on the remote end. I see this problem, but not every time. Checking with gnutls-cli it seems that that when www.hostgator.com resolves to 50.23.69.98 it serves fewer certificates, and fails to verify. Other machines serve more certificates and verification succeeds. ~$ gnutls-cli www.hostgator.com Processed 183 CA certificate(s). Resolving 'www.hostgator.com'... Connecting to '173.192.226.44:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `OU=Domain Control Validated,OU=Hosted by HostGator.com\, LLC.,OU=PositiveSSL Wildcard,CN=*.hostgator.com', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-16 00:00:00 UTC', expires `2018-10-15 23:59:59 UTC', SHA-1 fingerprint `1327565bd907609d8cc120fd0af53426347486c5' Public Key ID: 75265ba9039f77c136d9519931b9c8496dd91967 Public key's random art: +--[ RSA 2048]----+ | .=E| | + %=| | . o B X o| | + O = + | | S * . . | | o . | | | | | | | +-----------------+ - Certificate[1] info: - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', SHA-1 fingerprint `339cdd57cfd5b141169b615ff31428782d1da639' - Certificate[2] info: - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0' - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-CBC)-(SHA256) - Session ID: 47:28:B2:1E:8E:60:4F:17:8C:03:4C:21:50:F0:27:82:54:4B:5F:60:31:B0:48:D5:84:08:BC:30:82:30:86:EB - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA256 - Cipher: AES-128-CBC - MAC: SHA256 - Compression: NULL - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: - Peer has closed the GnuTLS connection ~$ gnutls-cli www.hostgator.com Processed 183 CA certificate(s). Resolving 'www.hostgator.com'... Connecting to '50.23.69.98:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `OU=Domain Control Validated,OU=Hosted by HostGator.com\, LLC.,OU=PositiveSSL Wildcard,CN=*.hostgator.com', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-16 00:00:00 UTC', expires `2018-10-15 23:59:59 UTC', SHA-1 fingerprint `1327565bd907609d8cc120fd0af53426347486c5' Public Key ID: 75265ba9039f77c136d9519931b9c8496dd91967 Public key's random art: +--[ RSA 2048]----+ | .=E| | + %=| | . o B X o| | + O = + | | S * . . | | o . | | | | | | | +-----------------+ - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug? 2016-10-01 12:07 ` npostavs @ 2017-01-24 23:35 ` Lars Ingebrigtsen 2017-01-25 21:38 ` Devon Sean McCullough 0 siblings, 1 reply; 10+ messages in thread From: Lars Ingebrigtsen @ 2017-01-24 23:35 UTC (permalink / raw) To: npostavs; +Cc: 24575, Devon Sean McCullough npostavs@users.sourceforge.net writes: > I think this is a problem on the remote end. I see this problem, but > not every time. Checking with gnutls-cli it seems that that when > www.hostgator.com resolves to 50.23.69.98 it serves fewer certificates, > and fails to verify. Other machines serve more certificates and > verification succeeds. So this doesn't seem to be an Emacs bug? I'm closing this report, but feel free to reopen if it turns out to be an Emacs bug anyway. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug? 2017-01-24 23:35 ` Lars Ingebrigtsen @ 2017-01-25 21:38 ` Devon Sean McCullough 2017-01-25 22:37 ` Glenn Morris 0 siblings, 1 reply; 10+ messages in thread From: Devon Sean McCullough @ 2017-01-25 21:38 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: 24575, npostavs > On Jan 24, 2017, at 6:35 PM, Lars Ingebrigtsen <larsi@gnus.org> wrote: > So this doesn't seem to be an Emacs bug? I'm closing this report, but > feel free to reopen if it turns out to be an Emacs bug anyway. Either an Emacs bug or a cert bug at https://gnu.org. Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq debug-on-error t) (trace-function (function nsm-query-user)) (url-retrieve-synchronously "https://gnu.org"))' ====================================================================== 1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the following reason%s: %s" ("gnu.org" 443 "s" "the certificate was signed by an unknown and therefore untrusted authority certificate could not be verified") #("Certificate information Issued by: Let's Encrypt Authority X3 Issued to: CN=gnu.org Hostname: gnu.org Public key: RSA, signature: RSA-SHA256 Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD Security level: Medium Valid: From 2016-12-16 to 2017-03-16 " 272 278 (face bold))) 1 <- nsm-query-user: session ====================================================================== 1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the following reason%s: %s" ("www.gnu.org" 443 "s" "the certificate was signed by an unknown and therefore untrusted authority certificate could not be verified") #("Certificate information Issued by: Let's Encrypt Authority X3 Issued to: CN=gnu.org Hostname: gnu.org Public key: RSA, signature: RSA-SHA256 Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD Security level: Medium Valid: From 2016-12-16 to 2017-03-16 " 272 278 (face bold))) 1 <- nsm-query-user: session ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug? 2017-01-25 21:38 ` Devon Sean McCullough @ 2017-01-25 22:37 ` Glenn Morris 2017-01-25 23:57 ` npostavs 0 siblings, 1 reply; 10+ messages in thread From: Glenn Morris @ 2017-01-25 22:37 UTC (permalink / raw) To: Devon Sean McCullough; +Cc: 24575, Lars Ingebrigtsen, npostavs (BTW, This seems like a duplicate of 24396?) ^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#24575: libgnutls MacOSX bug? 2017-01-25 22:37 ` Glenn Morris @ 2017-01-25 23:57 ` npostavs 0 siblings, 0 replies; 10+ messages in thread From: npostavs @ 2017-01-25 23:57 UTC (permalink / raw) To: Glenn Morris; +Cc: 24575, Lars Ingebrigtsen, Devon Sean McCullough tags 24575 notabug quit Glenn Morris <rgm@gnu.org> writes: > (BTW, This seems like a duplicate of 24396?) The case in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=24575#28 definitely looks like Bug#24396, and I can't reproduce it here on my Arch GNU/Linux box. For the case in the OP, I reported in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=24575#20 being able to reproduce the error sometimes, depending on which remote host answered. Since it also happens with gnutls-cli, I don't believe it's an Emacs bug. And it no longer happens for me at all, so I think it was fixed on the remote end. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-01-25 23:57 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-09-30 21:49 bug#24575: 25.1; TLS cert lossage Devon Sean McCullough 2016-10-01 7:58 ` Eli Zaretskii 2016-10-01 8:49 ` bug#24575: (url-retrieve-synchronously "https://gnu.org") ; untrusted Devon Sean McCullough 2016-10-01 10:20 ` bug#24575: libgnutls MacOSX bug? Devon Sean McCullough 2016-10-01 10:45 ` Eli Zaretskii 2016-10-01 12:07 ` npostavs 2017-01-24 23:35 ` Lars Ingebrigtsen 2017-01-25 21:38 ` Devon Sean McCullough 2017-01-25 22:37 ` Glenn Morris 2017-01-25 23:57 ` npostavs
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.