GNU bug report logs -
#30555
elpa.gnu.org certificate order
Previous Next
Reported by: Ian Kelling <iank <at> fsf.org>
Date: Tue, 20 Feb 2018 19:01:02 UTC
Severity: normal
Done: Glenn Morris <rgm <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30555 in the body.
You can then email your comments to 30555 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#30555; Package
emacs.
(Tue, 20 Feb 2018 19:01:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ian Kelling <iank <at> fsf.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Tue, 20 Feb 2018 19:01:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
I think I've found the root cause as the apache config is wrong and am
going to fix this on the elpa server in the next few minutes, which I would
normally not touch.
Originall reported to sysadmin <at> gnu.org by "Sam Brightman, who i've cced
I'm writing because I believe the certificate chain for elpa.gnu.org is
incorrect. You can see the out-of-order chain warning on:
https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&hideResults=on
You can also run e.g. gnutls-cli:
$ gnutls-cli elpa.gnu.org
|<1>| There was a non-CA certificate in the trusted list:
O=Entrust.net,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Certification
Authority (2048).
Processed 165 CA certificate(s).
Resolving 'elpa.gnu.org:443'...
Connecting to '208.118.235.89:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=elpa.gnu.org', issuer `CN=Let's Encrypt Authority
X3,O=Let's Encrypt,C=US', serial 0x037b6d60120d207d3270b0b184b1585921f0,
RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-02
10:00:36 UTC', expires `2018-03-02 10:00:36 UTC',
pin-sha256="m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0="
Public Key ID:
sha1:a055226618cb098619db153e7d847d0f2637b836
sha256:9b5feab8f5a9cc14cdba057a894f812d1cbf2192097b1f20819e3b48e578906d
Public Key PIN:
pin-sha256:m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0=
Public key's random art:
+--[ RSA 2048]----+
|++.o*..oo. |
|+=.B o.++ * |
|. = o + .* + |
| + oE . |
| . .S. |
| |
| |
| |
| |
+-----------------+
- Certificate[1] info:
- subject `CN=elpa.gnu.org', issuer `CN=Let's Encrypt Authority
X3,O=Let's Encrypt,C=US', serial 0x037b6d60120d207d3270b0b184b1585921f0,
RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-02
10:00:36 UTC', expires `2018-03-02 10:00:36 UTC',
pin-sha256="m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0="
- Certificate[2] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer
`CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using
RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17
16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID:
85:4F:3F:0C:1E:14:EE:51:33:81:38:3A:C8:72:FE:2C:72:B5:93:81:C0:8A:69:10:CA:66:CC:EE:44:99:74:D5
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
Whilst some TLS libraries will re-order/de-duplicate in this situation,
at least GnuTLS prior to version 3 does not. This is a very common
version for LTS distribution releases, including Travis CI. Stock Emacs
with GnuTLS (<3) support cannot verify the certificate of its own
package repository as a result of this.
end quote.
--
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#30555; Package
emacs.
(Tue, 20 Feb 2018 19:17:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 30555 <at> debbugs.gnu.org (full text, mbox):
I believe I've this is fixed on the server by the following patch in
/etc/apache2, and reloading apache. Feel free to close this bug
--- /tmp/default-ssl.conf 2018-02-20 14:05:35.276409315 -0500
+++ ./sites-available/default-ssl.conf 2018-02-20 14:09:48.680260877 -0500
@@ -45,7 +45,7 @@
SSLProtocol ALL -SSLv2 -SSLv3
- SSLCertificateFile /etc/letsencrypt/live/elpa.gnu.org/cert.pem
+ SSLCertificateFile /etc/letsencrypt/live/elpa.gnu.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/elpa.gnu.org/privkey.pem
@@ -56,7 +56,7 @@
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
- SSLCertificateChainFile /etc/letsencrypt/live/elpa.gnu.org/fullchain.pem
+ # SSLCertificateChainFile /etc/letsencrypt/live/elpa.gnu.org/fullchain.pem
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
bug closed, send any further explanations to
30555 <at> debbugs.gnu.org and Ian Kelling <iank <at> fsf.org>
Request was from
Glenn Morris <rgm <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Tue, 20 Feb 2018 19:19:01 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 21 Mar 2018 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 151 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.