Package: emacs;
Reported by: "Devon Sean McCullough" <Emacs-Hacker2016 <at> jovi.net>
Date: Fri, 30 Sep 2016 21:51:02 UTC
Severity: normal
Tags: notabug
Found in version 25.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 24575 in the body.
You can then email your comments to 24575 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Fri, 30 Sep 2016 21:51:02 GMT) Full text and rfc822 format available."Devon Sean McCullough" <Emacs-Hacker2016 <at> jovi.net>:bug-gnu-emacs <at> gnu.org.
(Fri, 30 Sep 2016 21:51:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: "Devon Sean McCullough" <Emacs-Hacker2016 <at> jovi.net> To: bug-gnu-emacs <at> gnu.org Subject: 25.1; TLS cert lossage Date: Fri, 30 Sep 2016 16:49:55 -0500
url-retrieve-synchronously distrusts this perfectly good cert
which is trusted by Emacs 24.3, Emacs 24.5 and FireFox 49.0.1:
$ Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq
debug-on-error t) (trace-function (function nsm-query-user))
(url-retrieve-synchronously "https://HostGator.com"))'
*trace-output*
======================================================================
1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the
following reason%s:
%s" ("hostgator.com" 443 "s" "the certificate was signed by an unknown and
therefore untrusted authority
certificate could not be verified") #("Certificate information
Issued by: COMODO RSA Domain Validation Secure Server CA
Issued to: Domain Control Validated
Hostname: *.hostgator.com
Public key: RSA, signature: RSA-SHA256
Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-CBC, mac: SHA256
Security level: Medium
Valid: From 2015-10-16 to 2018-10-15
" 315 321 (face bold)))
1 <- nsm-query-user: no
*Backtrace*
Debugger entered--Lisp error: (error "Could not create connection to
hostgator.com:443")
signal(error ("Could not create connection to hostgator.com:443"))
error("Could not create connection to %s:%d" "hostgator.com" 443)
url-http([cl-struct-url "https" nil nil "hostgator.com" nil "" nil nil t
nil t] #[128 "\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil)
(nil) url-debug retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn
&rest IGNORED)"] (nil) nil tls)
url-https([cl-struct-url "https" nil nil "hostgator.com" nil "" nil nil
t nil t] #[128 "\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil)
(nil) url-debug retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn
&rest IGNORED)"] (nil))
url-retrieve-internal("https://HostGator.com" #[128
"\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil) (nil) url-debug
retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn &rest
IGNORED)"] (nil) nil nil)
url-retrieve("https://HostGator.com" #[128
"\302\303\304p#\210\300\305\240\210\301p\240\207" [(nil) (nil) url-debug
retrieval "Synchronous fetching done (%S)" t] 5 "\n\n(fn &rest
IGNORED)"] nil nil nil)
url-retrieve-synchronously("https://HostGator.com")
(progn (setq debug-on-error t) (trace-function (function
nsm-query-user)) (url-retrieve-synchronously "https://HostGator.com"))
eval((progn (setq debug-on-error t) (trace-function (function
nsm-query-user)) (url-retrieve-synchronously "https://HostGator.com")))
command-line-1(("--eval" "(progn (setq debug-on-error t) (trace-function
(function nsm-query-user)) (url-retrieve-synchronously
\"https://HostGator.com\"))"))
command-line()
normal-top-level()
$ Open https://HostGator.com # FireFox 49.0.1 accepts the cert without
question and can export the chain to a PEM file:
$ awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {cert = cert "\n" $0}; /END
CERTIFICATE/ {system ("OpenSSL x509 -text <<.\n" cert "\n.\n"); cert =
""}' < '*.hostgator.com.crt'
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cb:66:63:4e:f1:c6:d1:71:40:ab:7d:99:b5:4c:16:de
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Oct 16 00:00:00 2015 GMT
Not After : Oct 15 23:59:59 2018 GMT
Subject: OU=Domain Control Validated, OU=Hosted by HostGator.com,
LLC., OU=PositiveSSL Wildcard, CN=*.hostgator.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c7:a5:32:1b:d3:af:0a:81:a6:60:da:87:80:e8:
71:b4:2d:8f:4f:5b:5c:e3:75:b5:f5:ae:01:21:f7:
e5:ca:f3:8b:64:fd:d8:d7:09:ec:c0:b8:b1:3e:ed:
8d:13:b6:fa:69:ff:10:c0:30:e1:ea:8e:23:ba:4d:
a3:f9:d7:b7:ca:b9:a4:df:76:a6:37:b9:c0:ea:44:
4c:db:f0:60:45:ea:1c:47:b7:26:33:f7:e6:3b:70:
42:94:6c:d9:29:4d:9f:f5:42:46:db:96:65:40:f4:
24:8a:34:2d:f8:84:99:98:ac:40:d4:27:11:b7:0d:
11:0b:c2:ed:77:cb:e6:93:7c:99:5a:6a:f6:eb:f1:
02:f8:26:d9:9a:15:b7:8e:2d:a0:dc:d8:f4:5c:ce:
ef:20:a2:49:0f:b6:69:ab:e7:dc:21:5d:46:64:2c:
34:1b:81:74:9c:d6:2f:d5:05:fd:77:df:d7:3f:97:
80:49:b7:81:52:7d:1c:be:9b:ce:3d:3e:2d:96:5b:
1f:04:2c:62:ff:c4:1c:f8:e3:ab:4d:40:49:81:32:
e1:81:df:7c:1c:39:15:55:cf:47:19:35:a0:4d:cd:
7e:ef:b0:be:31:74:15:52:8d:d7:d2:7e:e6:9e:87:
9a:87:8c:62:b6:0d:8a:f8:cb:60:08:f7:d9:e8:22:
5e:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Subject Key Identifier:
CE:54:03:B4:98:00:7C:DE:70:72:6C:9C:D4:BE:39:01:FE:31:EE:C3
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers -
URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:*.hostgator.com, DNS:hostgator.com
Signature Algorithm: sha256WithRSAEncryption
2b:89:cf:de:f6:af:78:80:0c:dd:cb:d8:39:ee:bf:41:3a:5c:
a1:64:95:5e:cd:b5:25:b6:fc:e2:07:73:ab:05:d3:26:35:70:
12:93:2d:4e:ca:61:35:4e:6c:12:e6:ed:f1:46:cf:ac:60:c1:
bf:7c:dd:82:f2:54:e5:55:53:95:05:84:d4:36:7d:45:9d:b9:
87:32:c9:35:79:58:cc:89:1d:54:b2:be:33:21:46:af:98:05:
2a:8a:58:c2:64:b4:13:b8:ea:ce:b1:4b:d5:95:2b:2e:b2:ac:
a5:fd:dc:7f:91:b6:a1:8f:d0:6f:bb:da:23:73:d7:3f:44:c9:
c2:50:d6:4e:d0:b8:0d:91:95:9f:63:f4:46:ab:18:c8:b1:6c:
cd:3d:35:64:24:dd:96:f4:2e:54:13:6a:33:c9:d0:ed:e3:47:
9b:ba:56:d9:52:ef:3c:42:40:26:e3:c7:4f:93:04:88:f7:4c:
12:67:1a:35:28:a5:c8:8a:63:36:7a:5b:4e:af:42:c6:e8:14:
e9:12:4b:8c:a5:23:fb:6d:fe:03:b9:66:fc:7e:a0:5f:cd:99:
a1:bc:b6:70:25:75:9a:15:d5:a2:c4:a5:ea:ba:2b:84:74:a7:
ef:cd:0a:12:8a:10:0c:82:eb:ba:2c:c8:c1:08:4f:b5:1e:85:
88:a7:ae:eb
-----BEGIN CERTIFICATE-----
MIIFfjCCBGagAwIBAgIRAMtmY07xxtFxQKt9mbVMFt4wDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUxMDE2MDAwMDAwWhcNMTgxMDE1MjM1OTU5WjCBhDEhMB8GA1UECxMY
RG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSYwJAYDVQQLEx1Ib3N0ZWQgYnkgSG9z
dEdhdG9yLmNvbSwgTExDLjEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2lsZGNhcmQx
GDAWBgNVBAMMDyouaG9zdGdhdG9yLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMelMhvTrwqBpmDah4DocbQtj09bXON1tfWuASH35crzi2T92NcJ
7MC4sT7tjRO2+mn/EMAw4eqOI7pNo/nXt8q5pN92pje5wOpETNvwYEXqHEe3JjP3
5jtwQpRs2SlNn/VCRtuWZUD0JIo0LfiEmZisQNQnEbcNEQvC7XfL5pN8mVpq9uvx
Avgm2ZoVt44toNzY9FzO7yCiSQ+2aavn3CFdRmQsNBuBdJzWL9UF/Xff1z+XgEm3
gVJ9HL6bzj0+LZZbHwQsYv/EHPjjq01ASYEy4YHffBw5FVXPRxk1oE3Nfu+wvjF0
FVKN19J+5p6HmoeMYrYNivjLYAj32egiXl8CAwEAAaOCAdswggHXMB8GA1UdIwQY
MBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBTOVAO0mAB83nBybJzU
vjkB/jHuwzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzAr
MCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZn
gQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYI
KwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wKQYDVR0RBCIwIIIP
Ki5ob3N0Z2F0b3IuY29tgg1ob3N0Z2F0b3IuY29tMA0GCSqGSIb3DQEBCwUAA4IB
AQAric/e9q94gAzdy9g57r9BOlyhZJVezbUltvziB3OrBdMmNXASky1OymE1TmwS
5u3xRs+sYMG/fN2C8lTlVVOVBYTUNn1FnbmHMsk1eVjMiR1Usr4zIUavmAUqiljC
ZLQTuOrOsUvVlSsusqyl/dx/kbahj9Bvu9ojc9c/RMnCUNZO0LgNkZWfY/RGqxjI
sWzNPTVkJN2W9C5UE2ozydDt40ebulbZUu88QkAm48dPkwSI90wSZxo1KKXIimM2
eltOr0LG6BTpEkuMpSP7bf4DuWb8fqBfzZmhvLZwJXWaFdWixKXquiuEdKfvzQoS
ihAMguu6LMjBCE+1HoWIp67r
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Certification Authority
Validity
Not Before: Feb 12 00:00:00 2014 GMT
Not After : Feb 11 23:59:59 2029 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Domain Validation Secure Server CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd:
01:d0:d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0:
c0:0c:02:7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86:
f9:e3:06:9c:3e:0b:81:8a:9b:49:1b:ad:03:be:fa:
4b:db:8c:20:ed:d5:ce:5e:65:8e:3e:0d:af:4c:c2:
b0:b7:45:5e:52:2f:34:de:48:24:64:b4:41:ae:00:
97:f7:be:67:de:9e:d0:7a:a7:53:80:3b:7c:ad:f5:
96:55:6f:97:47:0a:7c:85:8b:22:97:8d:b3:84:e0:
96:57:d0:70:18:60:96:8f:ee:2d:07:93:9d:a1:ba:
ca:d1:cd:7b:e9:c4:2a:9a:28:21:91:4d:6f:92:4f:
25:a5:f2:7a:35:dd:26:dc:46:a5:d0:ac:59:35:8c:
ff:4e:91:43:50:3f:59:93:1e:6c:51:21:ee:58:14:
ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b:98:bc:
e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27:51:
45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8:
cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2:
41:0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85:
82:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
X509v3 Subject Key Identifier:
90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl
Authority Information Access:
CA Issuers -
URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt
OCSP - URI:http://ocsp.comodoca.com
Signature Algorithm: sha384WithRSAEncryption
4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c:d6:44:
9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2:35:bc:fa:f6:
dd:95:8e:99:35:98:0e:36:18:75:b1:dd:dd:50:72:7c:ae:dc:
77:88:ce:0f:f7:90:20:ca:a3:67:2e:1f:56:7f:7b:e1:44:ea:
42:95:c4:5d:0d:01:50:46:15:f2:81:89:59:6c:8a:dd:8c:f1:
12:a1:8d:3a:42:8a:98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b:
72:9d:63:74:58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37:
ef:10:45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c:
9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77:68:96:
d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04:43:28:e9:16:
fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b:6c:72:a2:94:f8:42:
1a:df:ed:6f:06:8c:45:c2:06:00:aa:e4:e8:dc:d9:b5:e1:73:
78:ec:f6:23:dc:d1:dd:6c:8e:1a:8f:a5:ea:54:7c:96:b7:c3:
fe:55:8e:8d:49:5e:fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0:
48:f1:62:82:10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f:
94:05:96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8:
a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a:fb:97:
e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31:e5:0e:57:2d:
5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6:b5:39:c1:f5:98:43:
ff:ee:f9:a7:a7:fd:ee:ca:24:3d:80:16:c4:17:8f:8a:c1:60:
a1:0c:ae:5b:43:47:91:4b:d5:9a:17:5f:f9:d4:87:c1:c2:8c:
b7:e7:e2:0f:30:19:37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae:
fd:0f:24:51:94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed:
0e:dd:ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5:
1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66:24:37:
90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28:6a:44:70:26:
23:62:a9:9f:86:6f:bf:ba:90:70:d2:56:77:85:78:ef:ea:25:
a9:17:ce:50:72:8c:00:3a:aa:e3:db:63:34:9f:f8:06:71:01:
e2:82:20:d4:fe:6f:bd:b1
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Certification Authority
Validity
Not Before: Jan 19 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
Limited, CN=COMODO RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:
44:67:74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:
c4:fa:2a:12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:
7f:c9:4b:0f:17:a7:3d:e3:b0:04:61:ee:ff:11:97:
c7:f4:86:3e:0a:fa:3e:5c:f9:93:e6:34:7a:d9:14:
6b:e7:9c:b3:85:a0:82:7a:76:af:71:90:d7:ec:fd:
0d:fa:9c:6c:fa:df:b0:82:f4:14:7e:f9:be:c4:a6:
2f:4f:7f:99:7f:b5:fc:67:43:72:bd:0c:00:d6:89:
eb:6b:2c:d3:ed:8f:98:1c:14:ab:7e:e5:e3:6e:fc:
d8:a8:e4:92:24:da:43:6b:62:b8:55:fd:ea:c1:bc:
6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69:99:f8:78:48:
30:45:d5:ad:e1:0d:3c:45:60:fc:32:96:51:27:bc:
67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1:1f:65:
de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8:cc:
81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c:
22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:
3e:99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:
b6:5c:af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:
af:45:99:e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:
ff:49:58:be:f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:
f4:0b:3a:f9:e8:43:42:1e:89:d8:84:cb:13:f1:d9:
bb:e1:89:60:b8:8c:28:56:ac:14:1d:9c:0a:e7:71:
eb:cf:0e:dd:3d:a9:96:a1:48:bd:3c:f7:af:b5:0d:
22:4c:c0:11:81:ec:56:3b:f6:d3:a2:e2:5b:b7:b2:
04:22:52:95:80:93:69:e8:8e:4c:65:f1:91:03:2d:
70:74:02:ea:8b:67:15:29:69:52:02:bb:d7:df:50:
6a:55:46:bf:a0:a3:28:61:7f:70:d0:c3:a2:aa:2c:
21:aa:47:ce:28:9c:06:45:76:bf:82:18:27:b4:d5:
ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6:df:16:
86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a:2e:
5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7:
31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:
98:aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:
e5:ed:1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:
e5:84:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha384WithRSAEncryption
0a:f1:d5:46:84:b7:ae:51:bb:6c:b2:4d:41:14:00:93:4c:9c:
cb:e5:c0:54:cf:a0:25:8e:02:f9:fd:b0:a2:0d:f5:20:98:3c:
13:2d:ac:56:a2:b0:d6:7e:11:92:e9:2e:ba:9e:2e:9a:72:b1:
bd:19:44:6c:61:35:a2:9a:b4:16:12:69:5a:8c:e1:d7:3e:a4:
1a:e8:2f:03:f4:ae:61:1d:10:1b:2a:a4:8b:7a:c5:fe:05:a6:
e1:c0:d6:c8:fe:9e:ae:8f:2b:ba:3d:99:f8:d8:73:09:58:46:
6e:a6:9c:f4:d7:27:d3:95:da:37:83:72:1c:d3:73:e0:a2:47:
99:03:38:5d:d5:49:79:00:29:1c:c7:ec:9b:20:1c:07:24:69:
57:78:b2:39:fc:3a:84:a0:b5:9c:7c:8d:bf:2e:93:62:27:b7:
39:da:17:18:ae:bd:3c:09:68:ff:84:9b:3c:d5:d6:0b:03:e3:
57:9e:14:f7:d1:eb:4f:c8:bd:87:23:b7:b6:49:43:79:85:5c:
ba:eb:92:0b:a1:c6:e8:68:a8:4c:16:b1:1a:99:0a:e8:53:2c:
92:bb:a1:09:18:75:0c:65:a8:7b:cb:23:b7:1a:c2:28:85:c3:
1b:ff:d0:2b:62:ef:a4:7b:09:91:98:67:8c:14:01:cd:68:06:
6a:63:21:75:03:80:88:8a:6e:81:c6:85:f2:a9:a4:2d:e7:f4:
a5:24:10:47:83:ca:cd:f4:8d:79:58:b1:06:9b:e7:1a:2a:d9:
9d:01:d7:94:7d:ed:03:4a:ca:f0:db:e8:a9:01:3e:f5:56:99:
c9:1e:8e:49:3d:bb:e5:09:b9:e0:4f:49:92:3d:16:82:40:cc:
cc:59:c6:e6:3a:ed:12:2e:69:3c:6c:95:b1:fd:aa:1d:7b:7f:
86:be:1e:0e:32:46:fb:fb:13:8f:75:7f:4c:8b:4b:46:63:fe:
00:34:40:70:c1:c3:b9:a1:dd:a6:70:e2:04:b3:41:bc:e9:80:
91:ea:64:9c:7a:e1:22:03:a9:9c:6e:6f:0e:65:4f:6c:87:87:
5e:f3:6e:a0:f9:75:a5:9b:40:e8:53:b2:27:9d:4a:b9:c0:77:
21:8d:ff:87:f2:de:bc:8c:ef:17:df:b7:49:0b:d1:f2:6e:30:
0b:1a:0e:4e:76:ed:11:fc:f5:e9:56:b2:7d:bf:c7:6d:0a:93:
8c:a5:d0:c0:b6:1d:be:3a:4e:94:a2:d7:6e:6c:0b:c2:8a:7c:
fa:20:f3:c4:e4:e5:cd:0d:a8:cb:91:92:b1:7c:85:ec:b5:14:
69:66:0e:82:e7:cd:ce:c8:2d:a6:51:7f:21:c1:35:53:85:06:
4a:5d:9f:ad:bb:1b:5f:74
-----BEGIN CERTIFICATE-----
MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
+pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
NVOFBkpdn627G190
-----END CERTIFICATE-----
In GNU Emacs 25.1.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version
10.9.5 (Build 13F1911))
of 2016-09-20 built on builder10-9.porkrind.org
Windowing system distributor 'Apple', version 10.3.1404
Configured using:
'configure --with-ns '--enable-locallisppath=/Library/Application
Support/Emacs/${version}/site-lisp:/Library/Application
Support/Emacs/site-lisp' --with-modules'
Configured features:
NOTIFY ACL GNUTLS LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS MODULES
Important settings:
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
Major mode: Fundamental
Minor modes in effect:
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
tool-bar-mode: t
menu-bar-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
blink-cursor-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
line-number-mode: t
transient-mark-mode: t
Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.
Contacting host: hostgator.com:443
Type C-x 1 to delete the help window.
Entering debugger...
Mark set [4 times]
Saved text until "1 (face bold)))
1 <- nsm-query-user: no
"
Load-path shadows:
None found.
Features:
(shadow sort mail-extr emacsbug message dired format-spec rfc822 mml
mml-sec epg epg-config mm-decode mm-bodies mm-encode mailabbrev
gmm-utils mailheader sendmail mail-utils debug network-stream nsm
starttls url-http tls gnutls mail-parse rfc2231 rfc2047 rfc2045
ietf-drums url-gw url-cache url-auth url url-proxy url-privacy
url-expand url-methods url-history url-cookie url-domsuf url-util
url-parse auth-source cl-seq eieio byte-opt bytecomp byte-compile
cl-extra cconv eieio-core cl-macs gv gnus-util mm-util help-fns
help-mode easymenu cl-loaddefs pcase cl-lib mail-prsvr password-cache
url-vars mailcap trace time-date mule-util tooltip eldoc electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel ns-win ucs-normalize
term/common-win tool-bar dnd fontset image regexp-opt fringe
tabulated-list newcomment elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock font-lock
syntax facemenu font-core frame cl-generic cham georgian utf-8-lang
misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms
cp51932 hebrew greek romanian slovak czech european ethiopic indian
cyrillic chinese charscript case-table epa-hook jka-cmpr-hook help
simple abbrev minibuffer cl-preloaded nadvice loaddefs button faces
cus-face macroexp files text-properties overlay sha1 md5 base64 format
env code-pages mule custom widget hashtable-print-readable backquote
kqueue cocoa ns multi-tty make-network-process emacs)
Memory information:
((conses 16 212415 6685)
(symbols 48 21416 0)
(miscs 40 85 166)
(strings 32 21102 6674)
(string-bytes 1 614300)
(vectors 16 35417)
(vector-slots 8 679626 6101)
(floats 8 206 185)
(intervals 56 352 4)
(buffers 976 20))
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Sat, 01 Oct 2016 07:59:01 GMT) Full text and rfc822 format available.Message #8 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: Eli Zaretskii <eliz <at> gnu.org> To: "Devon Sean McCullough" <Emacs-Hacker2016 <at> jovi.net> Cc: 24575 <at> debbugs.gnu.org Subject: Re: bug#24575: 25.1; TLS cert lossage Date: Sat, 01 Oct 2016 10:58:44 +0300
> Date: Fri, 30 Sep 2016 16:49:55 -0500 > From: "Devon Sean McCullough" <Emacs-Hacker2016 <at> jovi.net> > > url-retrieve-synchronously distrusts this perfectly good cert > which is trusted by Emacs 24.3, Emacs 24.5 and FireFox 49.0.1: > > $ Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq > debug-on-error t) (trace-function (function nsm-query-user)) > (url-retrieve-synchronously "https://HostGator.com"))' > > *trace-output* > ====================================================================== > 1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the > following reason%s: It doesn't fail for me here, I get a buffer with the content of that URL. So it could be some issue with your TLS layer or the certificate bundle.
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Sat, 01 Oct 2016 08:50:01 GMT) Full text and rfc822 format available.Message #11 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: "Devon Sean McCullough" <Emacs-Hacker2016 <at> jovi.net> To: 24575 <at> debbugs.gnu.org Subject: (url-retrieve-synchronously "https://gnu.org") ; untrusted Date: Sat, 1 Oct 2016 03:49:42 -0500
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Sat, 01 Oct 2016 10:21:02 GMT) Full text and rfc822 format available.Message #14 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: "Devon Sean McCullough" <Devon2016 <at> jovi.net> To: 24575 <at> debbugs.gnu.org Subject: libgnutls MacOSX bug? Date: Sat, 1 Oct 2016 05:20:31 -0500
Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks?
$ lsof
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
...
Emacs-x86 2568 devon cwd DIR 1,4 24004 4562405
/Users/devon
Emacs-x86 2568 devon txt REG 1,4 17858160 70328116
/Applications/Emacs.app/Contents/MacOS/Emacs-x86_64-10_9
Emacs-x86 2568 devon txt REG 1,4 1070144 70328127
/Applications/Emacs.app/Contents/MacOS/lib-x86_64-10_9/libgnutls.30.dylib
...
$ system_profiler SPSoftwareDataType
Software:
System Software Overview:
System Version: OS X 10.11.6 (15G1004)
Kernel Version: Darwin 15.6.0
...
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Sat, 01 Oct 2016 10:46:02 GMT) Full text and rfc822 format available.Message #17 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: Eli Zaretskii <eliz <at> gnu.org> To: "Devon Sean McCullough" <Devon2016 <at> jovi.net> Cc: 24575 <at> debbugs.gnu.org Subject: Re: bug#24575: libgnutls MacOSX bug? Date: Sat, 01 Oct 2016 13:45:02 +0300
> Date: Sat, 1 Oct 2016 05:20:31 -0500 > From: "Devon Sean McCullough" <Devon2016 <at> jovi.net> > > Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks? My Emacs is built with GnuTLS, and it doesn't show the problem. GnuTLS uses the system's store of the certificates, so I think the problem might be there.
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Sat, 01 Oct 2016 12:07:02 GMT) Full text and rfc822 format available.Message #20 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: npostavs <at> users.sourceforge.net To: Eli Zaretskii <eliz <at> gnu.org> Cc: 24575 <at> debbugs.gnu.org, Devon Sean McCullough <Devon2016 <at> jovi.net> Subject: Re: bug#24575: libgnutls MacOSX bug? Date: Sat, 01 Oct 2016 08:07:22 -0400
Eli Zaretskii <eliz <at> gnu.org> writes: >> Date: Sat, 1 Oct 2016 05:20:31 -0500 >> From: "Devon Sean McCullough" <Devon2016 <at> jovi.net> >> >> Perhaps the bug is in libgnutls which Emacs-25 has and Emacs-24 lacks? > > My Emacs is built with GnuTLS, and it doesn't show the problem. > > GnuTLS uses the system's store of the certificates, so I think the > problem might be there. I think this is a problem on the remote end. I see this problem, but not every time. Checking with gnutls-cli it seems that that when www.hostgator.com resolves to 50.23.69.98 it serves fewer certificates, and fails to verify. Other machines serve more certificates and verification succeeds. ~$ gnutls-cli www.hostgator.com Processed 183 CA certificate(s). Resolving 'www.hostgator.com'... Connecting to '173.192.226.44:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `OU=Domain Control Validated,OU=Hosted by HostGator.com\, LLC.,OU=PositiveSSL Wildcard,CN=*.hostgator.com', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-16 00:00:00 UTC', expires `2018-10-15 23:59:59 UTC', SHA-1 fingerprint `1327565bd907609d8cc120fd0af53426347486c5' Public Key ID: 75265ba9039f77c136d9519931b9c8496dd91967 Public key's random art: +--[ RSA 2048]----+ | .=E| | + %=| | . o B X o| | + O = + | | S * . . | | o . | | | | | | | +-----------------+ - Certificate[1] info: - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', SHA-1 fingerprint `339cdd57cfd5b141169b615ff31428782d1da639' - Certificate[2] info: - subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Certification Authority', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0' - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-CBC)-(SHA256) - Session ID: 47:28:B2:1E:8E:60:4F:17:8C:03:4C:21:50:F0:27:82:54:4B:5F:60:31:B0:48:D5:84:08:BC:30:82:30:86:EB - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA256 - Cipher: AES-128-CBC - MAC: SHA256 - Compression: NULL - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: - Peer has closed the GnuTLS connection ~$ gnutls-cli www.hostgator.com Processed 183 CA certificate(s). Resolving 'www.hostgator.com'... Connecting to '50.23.69.98:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `OU=Domain Control Validated,OU=Hosted by HostGator.com\, LLC.,OU=PositiveSSL Wildcard,CN=*.hostgator.com', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-16 00:00:00 UTC', expires `2018-10-15 23:59:59 UTC', SHA-1 fingerprint `1327565bd907609d8cc120fd0af53426347486c5' Public Key ID: 75265ba9039f77c136d9519931b9c8496dd91967 Public key's random art: +--[ RSA 2048]----+ | .=E| | + %=| | . o B X o| | + O = + | | S * . . | | o . | | | | | | | +-----------------+ - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate.
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Tue, 24 Jan 2017 23:36:02 GMT) Full text and rfc822 format available.Message #23 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: Lars Ingebrigtsen <larsi <at> gnus.org> To: npostavs <at> users.sourceforge.net Cc: 24575 <at> debbugs.gnu.org, Eli Zaretskii <eliz <at> gnu.org>, Devon Sean McCullough <Devon2016 <at> jovi.net> Subject: Re: bug#24575: libgnutls MacOSX bug? Date: Wed, 25 Jan 2017 00:35:50 +0100
npostavs <at> users.sourceforge.net writes: > I think this is a problem on the remote end. I see this problem, but > not every time. Checking with gnutls-cli it seems that that when > www.hostgator.com resolves to 50.23.69.98 it serves fewer certificates, > and fails to verify. Other machines serve more certificates and > verification succeeds. So this doesn't seem to be an Emacs bug? I'm closing this report, but feel free to reopen if it turns out to be an Emacs bug anyway. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no
Lars Ingebrigtsen <larsi <at> gnus.org>
to control <at> debbugs.gnu.org.
(Tue, 24 Jan 2017 23:37:02 GMT) Full text and rfc822 format available.bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Wed, 25 Jan 2017 21:39:03 GMT) Full text and rfc822 format available.Message #28 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: Devon Sean McCullough <devon2016 <at> jovi.net> To: Lars Ingebrigtsen <larsi <at> gnus.org> Cc: 24575 <at> debbugs.gnu.org, Eli Zaretskii <eliz <at> gnu.org>, npostavs <at> users.sourceforge.net Subject: Re: bug#24575: libgnutls MacOSX bug? Date: Wed, 25 Jan 2017 16:38:43 -0500
> On Jan 24, 2017, at 6:35 PM, Lars Ingebrigtsen <larsi <at> gnus.org> wrote:
> So this doesn't seem to be an Emacs bug? I'm closing this report, but
> feel free to reopen if it turns out to be an Emacs bug anyway.
Either an Emacs bug or a cert bug at https://gnu.org.
Open -a /Applications/Emacs.app -n --args -Q --eval '(progn (setq debug-on-error t) (trace-function (function nsm-query-user)) (url-retrieve-synchronously "https://gnu.org"))'
======================================================================
1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the following reason%s:
%s" ("gnu.org" 443 "s" "the certificate was signed by an unknown and therefore untrusted authority
certificate could not be verified") #("Certificate information
Issued by: Let's Encrypt Authority X3
Issued to: CN=gnu.org
Hostname: gnu.org
Public key: RSA, signature: RSA-SHA256
Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
Security level: Medium
Valid: From 2016-12-16 to 2017-03-16
" 272 278 (face bold)))
1 <- nsm-query-user: session
======================================================================
1 -> (nsm-query-user "The TLS connection to %s:%s is insecure for the following reason%s:
%s" ("www.gnu.org" 443 "s" "the certificate was signed by an unknown and therefore untrusted authority
certificate could not be verified") #("Certificate information
Issued by: Let's Encrypt Authority X3
Issued to: CN=gnu.org
Hostname: gnu.org
Public key: RSA, signature: RSA-SHA256
Protocol: TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
Security level: Medium
Valid: From 2016-12-16 to 2017-03-16
" 272 278 (face bold)))
1 <- nsm-query-user: session
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Wed, 25 Jan 2017 22:38:02 GMT) Full text and rfc822 format available.Message #31 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: Glenn Morris <rgm <at> gnu.org> To: Devon Sean McCullough <devon2016 <at> jovi.net> Cc: 24575 <at> debbugs.gnu.org, Lars Ingebrigtsen <larsi <at> gnus.org>, npostavs <at> users.sourceforge.net Subject: Re: bug#24575: libgnutls MacOSX bug? Date: Wed, 25 Jan 2017 17:37:08 -0500
(BTW, This seems like a duplicate of 24396?)
bug-gnu-emacs <at> gnu.org:bug#24575; Package emacs.
(Wed, 25 Jan 2017 23:57:02 GMT) Full text and rfc822 format available.Message #34 received at 24575 <at> debbugs.gnu.org (full text, mbox):
From: npostavs <at> users.sourceforge.net To: Glenn Morris <rgm <at> gnu.org> Cc: 24575 <at> debbugs.gnu.org, Lars Ingebrigtsen <larsi <at> gnus.org>, Devon Sean McCullough <devon2016 <at> jovi.net> Subject: Re: bug#24575: libgnutls MacOSX bug? Date: Wed, 25 Jan 2017 18:57:17 -0500
tags 24575 notabug quit Glenn Morris <rgm <at> gnu.org> writes: > (BTW, This seems like a duplicate of 24396?) The case in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=24575#28 definitely looks like Bug#24396, and I can't reproduce it here on my Arch GNU/Linux box. For the case in the OP, I reported in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=24575#20 being able to reproduce the error sometimes, depending on which remote host answered. Since it also happens with gnutls-cli, I don't believe it's an Emacs bug. And it no longer happens for me at all, so I think it was fixed on the remote end.
npostavs <at> users.sourceforge.net
to control <at> debbugs.gnu.org.
(Wed, 25 Jan 2017 23:57:02 GMT) Full text and rfc822 format available.Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Thu, 23 Feb 2017 12:24:07 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.