From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect
	domain
Date: Wed, 21 Jun 2017 02:17:52 -0400
Message-ID: <20170621061752.GA32412@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60804)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNYyo-0005Yy-Ad
	for bug-guix@gnu.org; Wed, 21 Jun 2017 02:19:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNYyk-0003zy-Ce
	for bug-guix@gnu.org; Wed, 21 Jun 2017 02:19:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:56070)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dNYyk-0003zu-8o
	for bug-guix@gnu.org; Wed, 21 Jun 2017 02:19:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dNYyk-00026t-3T
	for bug-guix@gnu.org; Wed, 21 Jun 2017 02:19:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.27437.B.14980259408102@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60721)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dNYyS-0005Yi-Eg
	for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dNYyO-0003na-18
	for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:44 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:41001)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1dNYyN-0003lv-Mv
	for bug-guix@gnu.org; Wed, 21 Jun 2017 02:18:39 -0400
Received: from localhost (unknown [172.56.28.59])
	by mail.messagingengine.com (Postfix) with ESMTPA id 6CD882466C
	for <bug-guix@gnu.org>; Wed, 21 Jun 2017 02:18:34 -0400 (EDT)
Content-Disposition: inline
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 27437@debbugs.gnu.org


--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

While working on some package updates, I found that the source code
downloader will accept an X.509 certificate for an incorrect site.

Here is what happens:

------
$ ./pre-inst-env guix build -S opus-tools --check
@ build-started /gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.=
10.tar.gz.drv - x86_64-linux /var/log/guix/drvs/nn//93hkik8kvrigcf2pvmym01z=
g7jqm4v-opus-tools-0.1.10.tar.gz.drv.bz2
=20
Starting download of /gnu/store/0js62s7pz9gfcdsd1n764w91mhhwkws4-opus-tools=
-0.1.10.tar.gz
=46rom https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz...
 =E2=80=A6.1.10.tar.gz  305KiB              822KiB/s 00:00 [###############=
#####] 100.0%
warning: rewriting hashes in `/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-o=
pus-tools-0.1.10.tar.gz'; cross fingers
/gnu/store/vdpyfqzp0kkjpxr79fq3an7j4s4vkz0h-opus-tools-0.1.10.tar.gz
------

Here is an example of what I think should happen in this case:

------
$ curl https://downloads.xiph.org/releases/opus/opus-tools-0.1.10.tar.gz
curl: (51) SSL: certificate subject name (osuosl.org) does not match target=
 host name 'downloads.xiph.org'
------

And this is what Firefox says:

------
downloads.xiph.org uses an invalid security certificate.

The certificate is only valid for the following names:
  osuosl.org, *.osuosl.org =20

Error code: SSL_ERROR_BAD_CERT_DOMAIN
------


--/04w6evG8XlLl3ft
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllKD40ACgkQJkb6MLrK
fwi3AxAAy3CP9JTnWDNktV5M0dVzG86s1VJWOJcQ1m3K9Cm6aKvDI3MzeBGW0fQw
IWsfT0UUbAmQeSAQeYxkNWciu6k1RfUqYKkIh06YS5UySimK6jPhnNInhcHd/sdM
upXvG0s+k8ToUzcTlt1dzB7KLmQ/qcfGpMAI6ccYn4HIx8LVH8QbN0vnpcNAUtYC
2tZPCHeq6noFiKQmTZ6OX7kK3HBidMBQUnGOZT/Ben/ADMToO05T2L/0n3Xed0JW
rxjXvzOEa4eiGg/klQdgkwDkBWs3Xim7PCRZGFQASt8rMiyx7bDD8xe3SKK5/3be
sWEUzsDiostoRN4SrNhRhFpQLpy5Mvuzcw9JRfuTCgNTTIK0qUVp5M2iJhBAgSfX
EA+LKpnu5OwtR/5E/ijQlR5R+H56hs0QEs778BiUt2Ki/lvY8egGfHoqvEUzXh/l
EYeuw+OsUgkuJ41yxQvMAyM3dHn/ZlUh0iG/3KsLAZvxVpl5jVq+EIX/8uzK7Wfv
Y7Z9NS3nJuab3ez4ckUPWPQt92STh9uhYTJJhJqOqxPuzlt001IoJkSMmHEdaRdL
KfJHQ5J7s8Rg7RH2QbkSKeLLqvAOLRcd+p3FyBG9LF7IKOvD2Q8Sltw0++uMQStn
eHQePm+CfN1CmkCljlTCA3sKflbBYEAJppO3J5kioSTLmDrk0EY=
=iOdX
-----END PGP SIGNATURE-----

--/04w6evG8XlLl3ft--