From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 6I0dIVeo2143eQAA0tVLHw (envelope-from ) for ; Sat, 06 Jun 2020 14:29:43 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id MKnwHFeo2179DQAAB5/wlQ (envelope-from ) for ; Sat, 06 Jun 2020 14:29:43 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id ABCFA940539 for ; Sat, 6 Jun 2020 14:29:42 +0000 (UTC) Received: from localhost ([::1]:50072 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jhZpN-0002tM-By for larch@yhetil.org; Sat, 06 Jun 2020 10:29:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44116) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jhZpF-0002tA-So for help-guix@gnu.org; Sat, 06 Jun 2020 10:29:33 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:51910) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jhZpD-0001jW-Qd for help-guix@gnu.org; Sat, 06 Jun 2020 10:29:33 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 55ecd889; Sat, 6 Jun 2020 14:29:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=Aax3IiIYhpndX6lCnaYxsA YLeZ3AQnp4N/iGLRF9lP4=; b=d8EpdsOeonablumOVppuxD1CUfrHyBwbaFlNyG bpZUzsjXXSXIY31kmvBbEycO8gDyqykhM8SCo3HNo+V837Ua6ntzr6xaWXumqCsy Dpp9EExtovy0lNfVRP7wpMpXAFRUrDpDuMY07RblTaP5Dggd5Mi0Iz4EptdhI/Jt Kpv0TpYJxzsqUaA8NPYCpi+3ZxOg8laVjfyeWBpZqkGS+F7GitGzqain0/jQ01TW n7eqM/0CbWgzDpvYUU9xMiare9aoerX6wbKulIgPiS7zNI1tkSWiuE333EUtggqu rtX6mDpDWfg4LltIU2tQtqY6K7mGg8PeEL+nDkwSS3DiGuLw== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 7cb609a9 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Sat, 6 Jun 2020 14:29:34 +0000 (UTC) From: Tobias Geerinckx-Rice To: Giovanni Biscuolo Cc: help-guix@gnu.org Subject: Re: curl server certificate verification failed for a few sites References: <87sgfbkm7g.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> <87o8pylsel.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> <874krqdboh.fsf@nckx> <87tuzok0zk.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> In-reply-to: <87tuzok0zk.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> Date: Sat, 06 Jun 2020 16:29:26 +0200 Message-ID: <87img49sjd.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=tobias.gr header.s=2018 header.b=d8EpdsOe; dmarc=pass (policy=reject) header.from=tobias.gr; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -3.31 X-TUID: TGvIA92KsfZp --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Giovanni, Giovanni Biscuolo =E5=86=99=E9=81=93=EF=BC=9A > ...and sorry again to all other Guix users for the "noise": this=20 > is not > strictly related to Guix but just to the most recent version of > curl/wget Don't be. It was a legitimate bug in a Guix package. Thanks to=20 Marius for the quick fix, by the way! > I still I don't understand the differences between curl (and=20 > wget) > behaviour and the last Guix available ungoogled-chromium (see=20 > below). The expiration of the Sectigo root triggered a dormant bug in=20 GnuTLS. Users of other crypto libraries were unaffected. > I guess that this information, client side, is the same for all=20 > browsers > and CLI interfaces (like curl) since long ago: right? Yes. Including GnuTLS. It had the right data but drew the wrong=20 conclusion from it. > It seems that ungoogled-chromium stops the verification at the=20 > level=3D1 certificate: As your browser and SSLLabs knew, there *was* a valid chain (two,=20 even) and GnuTLS should have returned success. Instead it=20 reported failure because there was *also* an invalid expired one. At the risk of being flamed for oversimplifying: paranoid GnuTLS=20 was using AND where it should have used OR. Here's the actual bug report:=20 . (I think the server's still sending too many intermediates, but at=20 least now all clients will correctly ignore them. They'll just=20 waste some bandwidth on every handshake.) Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXtuoRgAKCRANsP+IT1Vt eTUJAQDkN9OUriNE91SOiDnNXSRmxLV0FZfZI0FX1YQ5q9nqYgD+JMCStYf9QMH3 DKxGJ6gRvj9zyyO+Q57kyk2AmImKDwE= =izXD -----END PGP SIGNATURE----- --=-=-=--