From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
To: cygwin-apps@cygwin.com
Subject: Re: [ITA] ca-certificates
Date: Sat, 2 Oct 2021 13:38:16 -0600 [thread overview]
Message-ID: <48174f34-c08a-b4cf-f694-49a97cc4b867@SystematicSw.ab.ca> (raw)
In-Reply-To: <e2f0f73d-6cd5-a857-6875-a767fbdef9de@SystematicSw.ab.ca>
[-- Attachment #1: Type: text/plain, Size: 2021 bytes --]
On 2021-10-02 10:37, Brian Inglis wrote:
> On 2021-10-02 09:48, Jon Turney wrote:
>> On 02/10/2021 14:56, Achim Gratz wrote:
>>>
>>> This package by Yaakov is getting long in the tooth and one of my Perl
>>> distributions is using it. Here's the change to pull it up to the
>>> latest iteration from Fedora and make it compatible with the CI:
>>>
>>> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd
>>>
>>
>>> +# actually get the Fedora sources
>>> +# the output from git must not be seen by cygport…
>>> +git submodule update > /dev/null
>>
>> I think it's a scallywag bug that it doesn't currently checkout
>> packaging repository submodules, so let me try to fix that.
>
> Very timely gentlemen, as it could eliminate or help mitigate the below:
>
> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>
> OpenSSL 1.0.2 packages are now hitting this - see attached log.
Oh-oh!
Seems a bit more widespread than that.
Please see attached log for dumps from all the below:
$ cygcheck wget wget2 curl | egrep \
'^\s*C:/.*/bin/.*(crypto|exe|gpg|krb|ss[hl]|tls)'
C:/.../bin/wget.exe
C:/.../bin/cyggnutls-30.dll
C:/.../bin/cyggpgme-11.dll
C:/.../bin/cyggpg-error-0.dll
C:/.../bin/wget2.exe
C:/.../bin/cyggnutls-30.dll
C:/.../bin/cyggpgme-11.dll
C:/.../bin/cyggpg-error-0.dll
C:/.../bin/curl.exe
C:/.../bin/cygcrypto-1.1.dll
C:/.../bin/cyggpg-error-0.dll
C:/.../bin/cyggssapi_krb5-2.dll
C:/.../bin/cygk5crypto-3.dll
C:/.../bin/cygkrb5support-0.dll
C:/.../bin/cygkrb5-3.dll
C:/.../bin/cygssl-1.1.dll
C:/.../bin/cygssh2-1.dll
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
[-- Attachment #2: cert-issues.log --]
[-- Type: text/plain, Size: 6200 bytes --]
$ wget -dv https://invisible-mirror.net/archives/
Setting --verbose (verbose) to 1
DEBUG output created by Wget 1.21.1 on cygwin.
Reading HSTS entries from $HOME/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2021-10-02 13:18:02-- https://invisible-mirror.net/archives/
Certificates loaded: 167
Resolving invisible-mirror.net (invisible-mirror.net)... 160.153.42.69
Caching invisible-mirror.net => 160.153.42.69
Connecting to invisible-mirror.net (invisible-mirror.net)|160.153.42.69|:443... connected.
Created socket 3.
Releasing 0x00000008001febb0 (new refcount 1).
ERROR: The certificate of ‘invisible-mirror.net’ is not trusted.
ERROR: The certificate of ‘invisible-mirror.net’ has expired.
$
$ curl -Iv --trace-ascii - https://invisible-mirror.net/archives/
Warning: --trace-ascii overrides an earlier trace/verbose option
== Info: STATE: INIT => CONNECT handle 0x8000bf178; line 1789 (connection #-5000)
== Info: Added connection 0. The cache now contains 1 members
== Info: STATE: CONNECT => RESOLVING handle 0x8000bf178; line 1835 (connection #0)
== Info: family0 == v4, family1 == v6
== Info: Trying 160.153.42.69:443...
== Info: STATE: RESOLVING => CONNECTING handle 0x8000bf178; line 1917 (connection #0)
== Info: Connected to invisible-mirror.net (160.153.42.69) port 443 (#0)
== Info: STATE: CONNECTING => PROTOCONNECT handle 0x8000bf178; line 1980 (connection #0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
== Info: CApath: none
== Info: Didn't find Session ID in cache for host HTTPS://invisible-mirror.net:443
=> Send SSL data, 5 bytes (0x5)
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
== Info: STATE: PROTOCONNECT => PROTOCONNECTING handle 0x8000bf178; line 2000 (connection #0)
<= Recv SSL data, 5 bytes (0x5)
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 106 bytes (0x6a)
<= Recv SSL data, 5 bytes (0x5)
== Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 2472 bytes (0x9a8)
=> Send SSL data, 5 bytes (0x5)
== Info: TLSv1.2 (OUT), TLS alert, certificate expired (557):
=> Send SSL data, 2 bytes (0x2)
== Info: SSL certificate problem: certificate has expired
== Info: multi_done
== Info: The cache now contains 0 members
== Info: Closing connection 0
== Info: Expire cleared (transfer 0x8000bf178)
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$
$ wget2 -dv https://invisible-mirror.net/archives/
02.131808.926 Local URI encoding = 'UTF-8'
02.131808.927 Input URI encoding = 'UTF-8'
02.131808.947 Fetched HSTS data from '$HOME/.local/share/wget/.wget-hsts'
02.131808.950 Fetched HPKP data from '$HOME/.local/share/wget/.wget-hpkp'
02.131808.953 Fetched OCSP hosts from '$HOME/.local/share/wget/.wget-ocsp_hosts'
02.131808.956 Fetched OCSP fingerprints from '$HOME/.local/share/wget/.wget-ocsp'
02.131808.956 set_exit_status(0)
02.131808.956 *url =
02.131808.956 *3 https://invisible-mirror.net/archives/
02.131808.956 local filename = 'index.html'
02.131808.956 host_add_job: job fname index.html
02.131808.956 host_add_job: 0x8000a0720 https://invisible-mirror.net/archives/
02.131808.956 host_add_job: qsize 1 host-qsize=1
02.131808.956 queue_size: qsize=1
02.131808.956 queue_size: qsize=1
02.131808.957 queue_size: qsize=1
02.131808.957 [0] action=1 pending=0 host=0x0
02.131808.957 dequeue job https://invisible-mirror.net/archives/
02.131808.957 resolving invisible-mirror.net:443...
02.131808.991 has 160.153.42.69:443
02.131808.991 trying 160.153.42.69:443...
02.131808.992 GnuTLS init
02.131809.130 GnuTLS system certificate store is empty
02.131809.130 Certificates loaded: 167
02.131809.131 GnuTLS init done
02.131809.131 TLS False Start requested
02.131809.131 ALPN offering h2
02.131809.131 ALPN offering http/1.1
ERROR: The certificate is NOT trusted. The certificate chain uses expired certificate.
02.131809.442 gnutls_handshake: (-43) Error in the certificate. (errno=11)
02.131809.442 ALPN: Server accepted protocol 'h2'
----
Certificate info [0]:
Valid since: 2021 Aug 01 Sun 11:19:48
Expires: 2021 Oct 30 Sat 11:19:46
Fingerprint: 5f45fb6a2fb7799fd180c574e6756eb6
Serial number: 5f45fb6a2fb7799fd180c574e6756eb6
Public key: RSA, Medium (2048 bits)
Version: #3
DN: CN=invisible-mirror.net
Issuer's DN: C=US,O=Let's Encrypt,CN=R3
Issuer's OID: 2.5.4.6
Issuer's UID: 2.5.4.6
Certificate info [1]:
Valid since: 2020 Oct 07 Wed 13:21:40
Expires: 2021 Sep 29 Wed 13:21:40
Fingerprint: 312128f5a0ed7ba54b6582928756ba83
Serial number: 312128f5a0ed7ba54b6582928756ba83
Public key: RSA, Medium (2048 bits)
Version: #3
DN: C=US,O=Let's Encrypt,CN=R3
Issuer's DN: O=Digital Signature Trust Co.,CN=DST Root CA X3
Issuer's OID: 2.5.4.10
Issuer's UID: 2.5.4.10
----
Ephemeral ECDH using curve (null)
Key Exchange: ECDHE-RSA
Protocol: TLS1.2
Certificate Type: X.509
Cipher: NULL
MAC: MAC-NULL
----
02.131809.443 closing connection
Failed to connect: Certificate error
02.131809.443 host_final_failure: qsize=0
02.131809.443 set_exit_status(5)
02.131809.443 host_increase_failure: invisible-mirror.net failures=1
02.131809.443 [0] action=3 pending=1 host=0x8000a06a0
02.131809.443 released job https://invisible-mirror.net/archives/
02.131809.443 [0] action=1 pending=0 host=0x0
02.131809.443 host invisible-mirror.net is blocked (qsize=1)
02.131809.443 main: wake up
02.131809.443 main: done
02.131809.450 Successfully updated '$HOME/.local/share/wget/.wget-ocsp_hosts'.
02.131809.451 Saved OCSP hosts to '$HOME/.local/share/wget/.wget-ocsp_hosts'
02.131809.457 Successfully updated '$HOME/.local/share/wget/.wget-ocsp'.
02.131809.458 Saved OCSP fingerprints to '$HOME/.local/share/wget/.wget-ocsp'
02.131809.458 blacklist https://invisible-mirror.net/archives/
next prev parent reply other threads:[~2021-10-02 19:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-02 13:56 Achim Gratz
2021-10-02 15:48 ` Jon Turney
2021-10-02 16:37 ` Brian Inglis
2021-10-02 19:38 ` Brian Inglis [this message]
2021-10-03 5:22 ` Achim Gratz
2021-10-03 8:27 ` Achim Gratz
2021-10-03 15:01 ` Jon Turney
2021-10-03 15:43 ` Achim Gratz
2021-10-02 18:54 ` Marco Atzeri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48174f34-c08a-b4cf-f694-49a97cc4b867@SystematicSw.ab.ca \
--to=brian.inglis@systematicsw.ab.ca \
--cc=cygwin-apps@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).