From: Lars Magne Ingebrigtsen <larsi@gnus.org>
To: 23027@debbugs.gnu.org
Cc: Anssi Saari <as@sci.fi>
Subject: bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently
Date: Sun, 24 Apr 2016 16:03:40 +0200 [thread overview]
Message-ID: <m3bn4zaytf.fsf@gnus.org> (raw)
In-Reply-To: <m31t7apuau.fsf@gnus.org> (Lars Magne Ingebrigtsen's message of "Wed, 16 Mar 2016 11:54:17 +0100")
Lars Magne Ingebrigtsen <larsi@gnus.org> writes:
> Here's an easy test case:
>
> (open-network-stream
> "nntpd" (get-buffer-create "*foo*")
> "news.eternal-september.org" "nntp"
> :type 'starttls
> :end-of-command "^\\([2345]\\|[.]\\).*\n"
> :capability-command "HELP\r\n"
> :success "^3"
> :starttls-function
> (lambda (capabilities)
> (if (not (string-match "STARTTLS" capabilities))
> nil
> "STARTTLS\r\n")))
>
> First of all, I think the error message is lacking. It should say more
> about what's failing.
I've now fixed this...
> As to the bug -- gnutls by default now refuses to deal with MD5
> certificates. We could override that, and instead let the network
> security manager notify the user that the connection isn't safe.
This apparently has nothing to do with MD5? Included below is what
s_client says about the TLS connection. It's ECDSA...
Hm... but there is a self signed certificate in the chain. Uhm...
using GNUTLS_VERIFY_DISABLE_CA_SIGN doesn't help, I still get
GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM. Hm...
Is it possible that the gnutls installation is just too old or
something? Weird.
[larsi@stories /usr/include/gnutls]$ openssl s_client -connect news.eternal-september.org:nntps
CONNECTED(00000003)
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=news.eternal-september.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGLDCCBBSgAwIBAgIDEdYnMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE2MDMxMTAzMzUyMFoXDTE2MDkwNzAzMzUyMFowJTEj
MCEGA1UEAxMabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwggIgMA0GCSqGSIb3
DQEBAQUAA4ICDQAwggIIAoIB/yjsWrb5ftbIGzSCTRyYRyH+CcwR2FkVXaK331KM
8bULtWrbOGj8Ig5iMSP1+y7GQxX5WPErSduJI2fnp//TElb0FlmqShkNesSc3os1
Jng+aSbpYmnHhR0QHLt+wB9PG1WslD2fsyCHQnkAMNF7wtDyZ3N5YJveQHd9OjR1
LC4GwlHNWaRh2b1IEY/glO5+xXnrXMJLYLWv6Qj5rWpPNb/pn2hQT06sCdOLd/zP
MND0/G7cg4KSasRCFEMl8sMO4/013ZelBoBYQRkJs7LQFKfk4I3Xv97BZu0w/VNu
yQUShJDzaa9+JWM56eLP52rkK4uic++z3kF9ehhE5UrEMFDPusBcyJ+GehSvJXx/
YUq8QejYvKL+7K+nAvQDioUjc3GfvW3CoFbuH4vTK+4H2N9BAsUi3NbSmCxAVYuy
FNJgapAvPrJrgsQshHWJcHdcDbIFBmTqsemK/9Fs2CPFPGr0ckmhu+zDkUBWGqoK
JTW1nKU+Szf5+NVgNf9GxVv3HoLtRibAAH1eRVGursZc5Sy9p9pRuFVEwBkJUpC6
P+2u8b768VJsruQOwccWy4+QH0Mq/xxVKP5b4Fq3tP0CSBhsJD88QdgptCgHArKw
axJ8DlcOwY7BhcCEMpjN4lArZZMERWHCYEhIvdHMVCXZD8aLnoio4YhdFGdEpvgN
/sUCAwEAAaOCAREwggENMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQG
A1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3
CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZy8wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3Jn
L3Jldm9rZS5jcmwwTwYDVR0RBEgwRoIabmV3cy5ldGVybmFsLXNlcHRlbWJlci5v
cmegKAYIKwYBBQUHCAWgHAwabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwDQYJ
KoZIhvcNAQENBQADggIBAK9hEHAl5w+8s/ZISK2LBv3mvPBmOEfcwhhCBzlDn5S1
/sUot+tPVv1AUF5Z7p21E9HiLRr69C038imk8wD9kTIGakW+o4izC57lpMCklKFc
Qfqi/YQmCIeIbXQAxaMdANyz/HpajhhHtOmSYjcUrXWFds/Bm1hJzHb+rFSFnL7Y
GN2gogeLzgEcTZMPIrmzoCGqkal4+guWnj3Fc5bXWgc9CBbVHOV9WAyFhhRPwbVl
w87uVpGjHoA2epzirdtc6KcLZCymCCCHYHTUJ8F9f6W/IJtIKdtw4G2/1z7lz2v3
Coo7mXKY8n/tgCUUBZfcCalkL//5MCdf746XM9uJxdibDSnf8vdpQKx4Otf0W3h7
/zGIntpuUxWwwGCCdknTVagT2+XhhpHqBPgQYKm87zmbzweg2RMqRzXIq81+Gxz0
UkKHyJJsec421m+smZDdsjYMvc+FWsbuKXjnjzDwEj2TuxPYIaUJQAvj+ZnlBP8Y
fXZYD/ykrH9v4YGO7BtGRi0NY3Hs1tMIOSo2Ran0LmeQbGFpDPLvgUzg3Ta9RkYY
9FY6Bm6WHd5EVVXdL/m5OlC+50FqXWpkizmVsm6SpWcKzUSn1rQpTqd4wegsg1fw
CurbHkgkP56yPFj8SdXfNdP34YBXEiSI4ZEFM9CS/wsVKm8SE4TnIRDjN39i7ad1
-----END CERTIFICATE-----
subject=/CN=news.eternal-september.org
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 4358 bytes and written 416 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4086 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 79FA1DD8A295D1D96475BE1818E88C3C28059A074AA8B743871B48243C203072
Session-ID-ctx:
Master-Key: 156AF5671933E472B5B2E5ACAED0FB40B6F4EE997F9F2DABA13F548E9B64DB4565C4FD9B7D9539AF0D7A77B64E3942F4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 65 10 86 c0 3b 81 89 d6-b6 63 74 7a c6 9d 9b 3b e...;....ctz...;
0010 - a8 38 e2 4a dc 47 96 f6-90 b5 37 6b 33 dc 73 2b .8.J.G....7k3.s+
0020 - 9c fb 97 e9 fc de 22 70-b7 da 76 0b 92 f3 94 72 ......"p..v....r
0030 - 49 c5 ac 15 9f a3 5f 1e-e9 c6 19 b1 ed 16 1d 50 I....._........P
0040 - 8a 0a 74 70 8e 97 ed 09-04 99 3d 75 cd 4d 46 15 ..tp......=u.MF.
0050 - 93 b1 31 50 e0 28 bc b3-dd da 46 2c ac 00 47 88 ..1P.(....F,..G.
0060 - a5 c3 b1 ad e1 86 d8 f3-85 c8 c3 9e c5 cf bb 9d ................
0070 - 93 14 8d c6 de c9 ff 7e-f6 45 99 35 cb 83 41 ab .......~.E.5..A.
0080 - 97 06 11 85 4a ee 76 a5-f4 1b 11 17 98 dd ec aa ....J.v.........
0090 - f2 48 d4 b6 2d 2e 16 a9-53 03 c1 96 96 31 ba ab .H..-...S....1..
Start Time: 1461506257
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
next prev parent reply other threads:[~2016-04-24 14:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-16 10:54 bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently Lars Magne Ingebrigtsen
2016-03-16 12:03 ` Lars Magne Ingebrigtsen
2016-04-24 14:03 ` Lars Magne Ingebrigtsen [this message]
2016-04-24 14:14 ` Lars Magne Ingebrigtsen
2016-04-29 7:48 ` Anssi Saari
2016-04-29 12:43 ` Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m3bn4zaytf.fsf@gnus.org \
--to=larsi@gnus.org \
--cc=23027@debbugs.gnu.org \
--cc=as@sci.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.