GNU bug report logs - #23027
25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently

Previous Next

Package: emacs;

Reported by: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Date: Wed, 16 Mar 2016 10:55:02 UTC

Severity: normal

Found in version 25.1.50

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 23027 <at> debbugs.gnu.org (full text, mbox):

From: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
To: 23027 <at> debbugs.gnu.org
Cc: Anssi Saari <as <at> sci.fi>
Subject: Re: bug#23027: 25.1.50;
 Emacs refuses to talk to eternal-september because they now use an
 MD5 certificate, apparently
Date: Sun, 24 Apr 2016 16:03:40 +0200

Lars Magne Ingebrigtsen <larsi <at> gnus.org> writes:

> Here's an easy test case:
>
> (open-network-stream
>  "nntpd" (get-buffer-create "*foo*")
>  "news.eternal-september.org" "nntp"
>  :type 'starttls
>  :end-of-command "^\\([2345]\\|[.]\\).*\n"
>  :capability-command "HELP\r\n"
>  :success "^3"
>  :starttls-function
>  (lambda (capabilities)
>    (if (not (string-match "STARTTLS" capabilities))
>        nil
>      "STARTTLS\r\n")))
>
> First of all, I think the error message is lacking.  It should say more
> about what's failing.

I've now fixed this...

> As to the bug -- gnutls by default now refuses to deal with MD5
> certificates.  We could override that, and instead let the network
> security manager notify the user that the connection isn't safe.

This apparently has nothing to do with MD5?  Included below is what
s_client says about the TLS connection.  It's ECDSA...

Hm...  but there is a self signed certificate in the chain.  Uhm...
using GNUTLS_VERIFY_DISABLE_CA_SIGN doesn't help, I still get
GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM.  Hm...

Is it possible that the gnutls installation is just too old or
something?  Weird.

[larsi <at> stories /usr/include/gnutls]$ openssl s_client -connect news.eternal-september.org:nntps
CONNECTED(00000003)
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support <at> cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=news.eternal-september.org
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support <at> cacert.org
 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support <at> cacert.org
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support <at> cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGLDCCBBSgAwIBAgIDEdYnMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE2MDMxMTAzMzUyMFoXDTE2MDkwNzAzMzUyMFowJTEj
MCEGA1UEAxMabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwggIgMA0GCSqGSIb3
DQEBAQUAA4ICDQAwggIIAoIB/yjsWrb5ftbIGzSCTRyYRyH+CcwR2FkVXaK331KM
8bULtWrbOGj8Ig5iMSP1+y7GQxX5WPErSduJI2fnp//TElb0FlmqShkNesSc3os1
Jng+aSbpYmnHhR0QHLt+wB9PG1WslD2fsyCHQnkAMNF7wtDyZ3N5YJveQHd9OjR1
LC4GwlHNWaRh2b1IEY/glO5+xXnrXMJLYLWv6Qj5rWpPNb/pn2hQT06sCdOLd/zP
MND0/G7cg4KSasRCFEMl8sMO4/013ZelBoBYQRkJs7LQFKfk4I3Xv97BZu0w/VNu
yQUShJDzaa9+JWM56eLP52rkK4uic++z3kF9ehhE5UrEMFDPusBcyJ+GehSvJXx/
YUq8QejYvKL+7K+nAvQDioUjc3GfvW3CoFbuH4vTK+4H2N9BAsUi3NbSmCxAVYuy
FNJgapAvPrJrgsQshHWJcHdcDbIFBmTqsemK/9Fs2CPFPGr0ckmhu+zDkUBWGqoK
JTW1nKU+Szf5+NVgNf9GxVv3HoLtRibAAH1eRVGursZc5Sy9p9pRuFVEwBkJUpC6
P+2u8b768VJsruQOwccWy4+QH0Mq/xxVKP5b4Fq3tP0CSBhsJD88QdgptCgHArKw
axJ8DlcOwY7BhcCEMpjN4lArZZMERWHCYEhIvdHMVCXZD8aLnoio4YhdFGdEpvgN
/sUCAwEAAaOCAREwggENMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQG
A1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3
CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZy8wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3Jn
L3Jldm9rZS5jcmwwTwYDVR0RBEgwRoIabmV3cy5ldGVybmFsLXNlcHRlbWJlci5v
cmegKAYIKwYBBQUHCAWgHAwabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwDQYJ
KoZIhvcNAQENBQADggIBAK9hEHAl5w+8s/ZISK2LBv3mvPBmOEfcwhhCBzlDn5S1
/sUot+tPVv1AUF5Z7p21E9HiLRr69C038imk8wD9kTIGakW+o4izC57lpMCklKFc
Qfqi/YQmCIeIbXQAxaMdANyz/HpajhhHtOmSYjcUrXWFds/Bm1hJzHb+rFSFnL7Y
GN2gogeLzgEcTZMPIrmzoCGqkal4+guWnj3Fc5bXWgc9CBbVHOV9WAyFhhRPwbVl
w87uVpGjHoA2epzirdtc6KcLZCymCCCHYHTUJ8F9f6W/IJtIKdtw4G2/1z7lz2v3
Coo7mXKY8n/tgCUUBZfcCalkL//5MCdf746XM9uJxdibDSnf8vdpQKx4Otf0W3h7
/zGIntpuUxWwwGCCdknTVagT2+XhhpHqBPgQYKm87zmbzweg2RMqRzXIq81+Gxz0
UkKHyJJsec421m+smZDdsjYMvc+FWsbuKXjnjzDwEj2TuxPYIaUJQAvj+ZnlBP8Y
fXZYD/ykrH9v4YGO7BtGRi0NY3Hs1tMIOSo2Ran0LmeQbGFpDPLvgUzg3Ta9RkYY
9FY6Bm6WHd5EVVXdL/m5OlC+50FqXWpkizmVsm6SpWcKzUSn1rQpTqd4wegsg1fw
CurbHkgkP56yPFj8SdXfNdP34YBXEiSI4ZEFM9CS/wsVKm8SE4TnIRDjN39i7ad1
-----END CERTIFICATE-----
subject=/CN=news.eternal-september.org
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support <at> cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 4358 bytes and written 416 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4086 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 79FA1DD8A295D1D96475BE1818E88C3C28059A074AA8B743871B48243C203072
    Session-ID-ctx: 
    Master-Key: 156AF5671933E472B5B2E5ACAED0FB40B6F4EE997F9F2DABA13F548E9B64DB4565C4FD9B7D9539AF0D7A77B64E3942F4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 65 10 86 c0 3b 81 89 d6-b6 63 74 7a c6 9d 9b 3b   e...;....ctz...;
    0010 - a8 38 e2 4a dc 47 96 f6-90 b5 37 6b 33 dc 73 2b   .8.J.G....7k3.s+
    0020 - 9c fb 97 e9 fc de 22 70-b7 da 76 0b 92 f3 94 72   ......"p..v....r
    0030 - 49 c5 ac 15 9f a3 5f 1e-e9 c6 19 b1 ed 16 1d 50   I....._........P
    0040 - 8a 0a 74 70 8e 97 ed 09-04 99 3d 75 cd 4d 46 15   ..tp......=u.MF.
    0050 - 93 b1 31 50 e0 28 bc b3-dd da 46 2c ac 00 47 88   ..1P.(....F,..G.
    0060 - a5 c3 b1 ad e1 86 d8 f3-85 c8 c3 9e c5 cf bb 9d   ................
    0070 - 93 14 8d c6 de c9 ff 7e-f6 45 99 35 cb 83 41 ab   .......~.E.5..A.
    0080 - 97 06 11 85 4a ee 76 a5-f4 1b 11 17 98 dd ec aa   ....J.v.........
    0090 - f2 48 d4 b6 2d 2e 16 a9-53 03 c1 96 96 31 ba ab   .H..-...S....1..

    Start Time: 1461506257
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
This bug report was last modified 9 years and 110 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.