From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Date: Wed, 21 Jun 2017 12:50:15 +0200 Message-ID: <87lgolipi0.fsf@gnu.org> References: <20170621061752.GA32412@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35992) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNdE2-0006SJ-40 for bug-guix@gnu.org; Wed, 21 Jun 2017 06:51:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNdDy-0003YX-7i for bug-guix@gnu.org; Wed, 21 Jun 2017 06:51:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:56223) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNdDy-0003YQ-52 for bug-guix@gnu.org; Wed, 21 Jun 2017 06:51:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dNdDx-0001lP-SX for bug-guix@gnu.org; Wed, 21 Jun 2017 06:51:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20170621061752.GA32412@jasmine.lan> (Leo Famulari's message of "Wed, 21 Jun 2017 02:17:52 -0400") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 27437@debbugs.gnu.org Hi, Leo Famulari skribis: > While working on some package updates, I found that the source code > downloader will accept an X.509 certificate for an incorrect site. > > Here is what happens: > > ------ > $ ./pre-inst-env guix build -S opus-tools --check > @ build-started /gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.= 1.10.tar.gz.drv - x86_64-linux /var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym0= 1zg7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2 >=20=20 > Starting download of /gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-too= ls-0.1.10.tar.gz > From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz... > =E2=80=A6.1.10.tar.gz 305KiB 822KiB/s 00:00 [#############= #######] 100.0% > warning: rewriting hashes in `/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h= -opus-tools-0.1.10.tar.gz'; cross fingers > /gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz > ------ > > Here is an example of what I think should happen in this case: > > ------ > $ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz > curl: (51) SSL: certificate subject name (osuosl.org) does not match targ= et host name 'downloads.xiph.org' > ------ Also: --8<---------------cut here---------------start------------->8--- $ guix download https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.= tar.gz Starting download of /tmp/guix-file.vjPVRk >From https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz... ERROR: X.509 server certificate for 'downloads.xiph.org' does not match: C= =3DUS,postalCode=3D97331,ST=3DOR,L=3DCorvallis,street=3DOregon State Univer= sity,street=3DKerr Admin Building,O=3DOregon State University,OU=3DOSU OSL,= CN=3Dosuosl.org failed to download "/tmp/guix-file.vjPVRk" from "https://downloads.xiph.org= /releases/opus/opus-tools-0.1.10.tar.gz" guix download: error: https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz: download= failed --8<---------------cut here---------------end--------------->8--- The behavior of the source download is on purpose as noted in (guix download): ;; No need to validate certificates since we know the ;; hash of the expected result. #:verify-certificate? #f))))) IOW, since we=E2=80=99re checking the integrity of the tarball anyway, and = we assume developers checked its authenticity when writing the recipe, then who cares whether downloads.xiph.org has a valid certificate? Conversely, =E2=80=98guix download=E2=80=99 always checks certificates by d= efault. Does it make sense? Ludo=E2=80=99.