* [ITA] ca-certificates @ 2021-10-02 13:56 Achim Gratz 2021-10-02 15:48 ` Jon Turney 2021-10-02 18:54 ` Marco Atzeri 0 siblings, 2 replies; 9+ messages in thread From: Achim Gratz @ 2021-10-02 13:56 UTC (permalink / raw) To: cygwin-apps This package by Yaakov is getting long in the tooth and one of my Perl distributions is using it. Here's the change to pull it up to the latest iteration from Fedora and make it compatible with the CI: https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf rackAttack: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ITA] ca-certificates 2021-10-02 13:56 [ITA] ca-certificates Achim Gratz @ 2021-10-02 15:48 ` Jon Turney 2021-10-02 16:37 ` Brian Inglis ` (2 more replies) 2021-10-02 18:54 ` Marco Atzeri 1 sibling, 3 replies; 9+ messages in thread From: Jon Turney @ 2021-10-02 15:48 UTC (permalink / raw) To: cygwin-apps On 02/10/2021 14:56, Achim Gratz wrote: > > This package by Yaakov is getting long in the tooth and one of my Perl > distributions is using it. Here's the change to pull it up to the > latest iteration from Fedora and make it compatible with the CI: > > https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd > +# actually get the Fedora sources > +# the output from git must not be seen by cygport… > +git submodule update > /dev/null I think it's a scallywag bug that it doesn't currently checkout packaging repository submodules, so let me try to fix that. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ITA] ca-certificates 2021-10-02 15:48 ` Jon Turney @ 2021-10-02 16:37 ` Brian Inglis 2021-10-02 19:38 ` Brian Inglis 2021-10-03 5:22 ` Achim Gratz 2021-10-03 8:27 ` Achim Gratz 2 siblings, 1 reply; 9+ messages in thread From: Brian Inglis @ 2021-10-02 16:37 UTC (permalink / raw) To: cygwin-apps [-- Attachment #1: Type: text/plain, Size: 1210 bytes --] On 2021-10-02 09:48, Jon Turney wrote: > On 02/10/2021 14:56, Achim Gratz wrote: >> >> This package by Yaakov is getting long in the tooth and one of my Perl >> distributions is using it. Here's the change to pull it up to the >> latest iteration from Fedora and make it compatible with the CI: >> >> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd >> > >> +# actually get the Fedora sources >> +# the output from git must not be seen by cygport… >> +git submodule update > /dev/null > > I think it's a scallywag bug that it doesn't currently checkout > packaging repository submodules, so let me try to fix that. Very timely gentlemen, as it could eliminate or help mitigate the below: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ OpenSSL 1.0.2 packages are now hitting this - see attached log. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in binary units and prefixes, physical quantities in SI.] [-- Attachment #2: lynx-noaccess.log --] [-- Type: text/plain, Size: 2252 bytes --] $ for url in https://curl.se/download/ http://curl.se/download/ \ https://libssh2.org/download/ http://libssh2.org/download/; do lynx -dump -nolist -nonumbers $url; done Looking up curl.se Making HTTPS connection to curl.se SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0 Retrying connection without TLS. Looking up curl.se Making HTTPS connection to curl.se SSL callback:ok, preverify_ok=1, ssl_okay=0 SSL callback:ok, preverify_ok=1, ssl_okay=0 SSL callback:ok, preverify_ok=1, ssl_okay=0 lynx: Can't access startfile https://curl.se/download/ Looking up curl.se Making HTTP connection to curl.se Sending HTTP request. HTTP request sent; waiting for response. HTTP/1.1 301 Moved Permanently Data transfer complete HTTP/1.1 301 Moved Permanently Using https://curl.se/download/ Looking up curl.se Making HTTPS connection to curl.se SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0 Retrying connection without TLS. Looking up curl.se Making HTTPS connection to curl.se SSL callback:ok, preverify_ok=1, ssl_okay=0 SSL callback:ok, preverify_ok=1, ssl_okay=0 SSL callback:ok, preverify_ok=1, ssl_okay=0 lynx: Can't access startfile http://curl.se/download/ Looking up libssh2.org Making HTTPS connection to libssh2.org SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0 Retrying connection without TLS. Looking up libssh2.org Making HTTPS connection to libssh2.org SSL callback:self signed certificate, preverify_ok=0, ssl_okay=0 Alert!: Unable to make secure connection to remote host. lynx: Can't access startfile https://libssh2.org/download/ Looking up libssh2.org Making HTTP connection to libssh2.org Sending HTTP request. HTTP request sent; waiting for response. HTTP/1.1 301 Moved Permanently Data transfer complete HTTP/1.1 301 Moved Permanently Using https://libssh2.org/download/ Looking up libssh2.org Making HTTPS connection to libssh2.org SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0 Retrying connection without TLS. Looking up libssh2.org Making HTTPS connection to libssh2.org SSL callback:self signed certificate, preverify_ok=0, ssl_okay=0 Alert!: Unable to make secure connection to remote host. lynx: Can't access startfile http://libssh2.org/download/ ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ITA] ca-certificates 2021-10-02 16:37 ` Brian Inglis @ 2021-10-02 19:38 ` Brian Inglis 0 siblings, 0 replies; 9+ messages in thread From: Brian Inglis @ 2021-10-02 19:38 UTC (permalink / raw) To: cygwin-apps [-- Attachment #1: Type: text/plain, Size: 2021 bytes --] On 2021-10-02 10:37, Brian Inglis wrote: > On 2021-10-02 09:48, Jon Turney wrote: >> On 02/10/2021 14:56, Achim Gratz wrote: >>> >>> This package by Yaakov is getting long in the tooth and one of my Perl >>> distributions is using it. Here's the change to pull it up to the >>> latest iteration from Fedora and make it compatible with the CI: >>> >>> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd >>> >> >>> +# actually get the Fedora sources >>> +# the output from git must not be seen by cygport… >>> +git submodule update > /dev/null >> >> I think it's a scallywag bug that it doesn't currently checkout >> packaging repository submodules, so let me try to fix that. > > Very timely gentlemen, as it could eliminate or help mitigate the below: > > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > > OpenSSL 1.0.2 packages are now hitting this - see attached log. Oh-oh! Seems a bit more widespread than that. Please see attached log for dumps from all the below: $ cygcheck wget wget2 curl | egrep \ '^\s*C:/.*/bin/.*(crypto|exe|gpg|krb|ss[hl]|tls)' C:/.../bin/wget.exe C:/.../bin/cyggnutls-30.dll C:/.../bin/cyggpgme-11.dll C:/.../bin/cyggpg-error-0.dll C:/.../bin/wget2.exe C:/.../bin/cyggnutls-30.dll C:/.../bin/cyggpgme-11.dll C:/.../bin/cyggpg-error-0.dll C:/.../bin/curl.exe C:/.../bin/cygcrypto-1.1.dll C:/.../bin/cyggpg-error-0.dll C:/.../bin/cyggssapi_krb5-2.dll C:/.../bin/cygk5crypto-3.dll C:/.../bin/cygkrb5support-0.dll C:/.../bin/cygkrb5-3.dll C:/.../bin/cygssl-1.1.dll C:/.../bin/cygssh2-1.dll -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in binary units and prefixes, physical quantities in SI.] [-- Attachment #2: cert-issues.log --] [-- Type: text/plain, Size: 6200 bytes --] $ wget -dv https://invisible-mirror.net/archives/ Setting --verbose (verbose) to 1 DEBUG output created by Wget 1.21.1 on cygwin. Reading HSTS entries from $HOME/.wget-hsts URI encoding = ‘UTF-8’ Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) --2021-10-02 13:18:02-- https://invisible-mirror.net/archives/ Certificates loaded: 167 Resolving invisible-mirror.net (invisible-mirror.net)... 160.153.42.69 Caching invisible-mirror.net => 160.153.42.69 Connecting to invisible-mirror.net (invisible-mirror.net)|160.153.42.69|:443... connected. Created socket 3. Releasing 0x00000008001febb0 (new refcount 1). ERROR: The certificate of ‘invisible-mirror.net’ is not trusted. ERROR: The certificate of ‘invisible-mirror.net’ has expired. $ $ curl -Iv --trace-ascii - https://invisible-mirror.net/archives/ Warning: --trace-ascii overrides an earlier trace/verbose option == Info: STATE: INIT => CONNECT handle 0x8000bf178; line 1789 (connection #-5000) == Info: Added connection 0. The cache now contains 1 members == Info: STATE: CONNECT => RESOLVING handle 0x8000bf178; line 1835 (connection #0) == Info: family0 == v4, family1 == v6 == Info: Trying 160.153.42.69:443... == Info: STATE: RESOLVING => CONNECTING handle 0x8000bf178; line 1917 (connection #0) == Info: Connected to invisible-mirror.net (160.153.42.69) port 443 (#0) == Info: STATE: CONNECTING => PROTOCONNECT handle 0x8000bf178; line 1980 (connection #0) == Info: ALPN, offering h2 == Info: ALPN, offering http/1.1 == Info: successfully set certificate verify locations: == Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt == Info: CApath: none == Info: Didn't find Session ID in cache for host HTTPS://invisible-mirror.net:443 => Send SSL data, 5 bytes (0x5) == Info: TLSv1.3 (OUT), TLS handshake, Client hello (1): => Send SSL data, 512 bytes (0x200) == Info: STATE: PROTOCONNECT => PROTOCONNECTING handle 0x8000bf178; line 2000 (connection #0) <= Recv SSL data, 5 bytes (0x5) == Info: TLSv1.3 (IN), TLS handshake, Server hello (2): <= Recv SSL data, 106 bytes (0x6a) <= Recv SSL data, 5 bytes (0x5) == Info: TLSv1.2 (IN), TLS handshake, Certificate (11): <= Recv SSL data, 2472 bytes (0x9a8) => Send SSL data, 5 bytes (0x5) == Info: TLSv1.2 (OUT), TLS alert, certificate expired (557): => Send SSL data, 2 bytes (0x2) == Info: SSL certificate problem: certificate has expired == Info: multi_done == Info: The cache now contains 0 members == Info: Closing connection 0 == Info: Expire cleared (transfer 0x8000bf178) curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. $ $ wget2 -dv https://invisible-mirror.net/archives/ 02.131808.926 Local URI encoding = 'UTF-8' 02.131808.927 Input URI encoding = 'UTF-8' 02.131808.947 Fetched HSTS data from '$HOME/.local/share/wget/.wget-hsts' 02.131808.950 Fetched HPKP data from '$HOME/.local/share/wget/.wget-hpkp' 02.131808.953 Fetched OCSP hosts from '$HOME/.local/share/wget/.wget-ocsp_hosts' 02.131808.956 Fetched OCSP fingerprints from '$HOME/.local/share/wget/.wget-ocsp' 02.131808.956 set_exit_status(0) 02.131808.956 *url = 02.131808.956 *3 https://invisible-mirror.net/archives/ 02.131808.956 local filename = 'index.html' 02.131808.956 host_add_job: job fname index.html 02.131808.956 host_add_job: 0x8000a0720 https://invisible-mirror.net/archives/ 02.131808.956 host_add_job: qsize 1 host-qsize=1 02.131808.956 queue_size: qsize=1 02.131808.956 queue_size: qsize=1 02.131808.957 queue_size: qsize=1 02.131808.957 [0] action=1 pending=0 host=0x0 02.131808.957 dequeue job https://invisible-mirror.net/archives/ 02.131808.957 resolving invisible-mirror.net:443... 02.131808.991 has 160.153.42.69:443 02.131808.991 trying 160.153.42.69:443... 02.131808.992 GnuTLS init 02.131809.130 GnuTLS system certificate store is empty 02.131809.130 Certificates loaded: 167 02.131809.131 GnuTLS init done 02.131809.131 TLS False Start requested 02.131809.131 ALPN offering h2 02.131809.131 ALPN offering http/1.1 ERROR: The certificate is NOT trusted. The certificate chain uses expired certificate. 02.131809.442 gnutls_handshake: (-43) Error in the certificate. (errno=11) 02.131809.442 ALPN: Server accepted protocol 'h2' ---- Certificate info [0]: Valid since: 2021 Aug 01 Sun 11:19:48 Expires: 2021 Oct 30 Sat 11:19:46 Fingerprint: 5f45fb6a2fb7799fd180c574e6756eb6 Serial number: 5f45fb6a2fb7799fd180c574e6756eb6 Public key: RSA, Medium (2048 bits) Version: #3 DN: CN=invisible-mirror.net Issuer's DN: C=US,O=Let's Encrypt,CN=R3 Issuer's OID: 2.5.4.6 Issuer's UID: 2.5.4.6 Certificate info [1]: Valid since: 2020 Oct 07 Wed 13:21:40 Expires: 2021 Sep 29 Wed 13:21:40 Fingerprint: 312128f5a0ed7ba54b6582928756ba83 Serial number: 312128f5a0ed7ba54b6582928756ba83 Public key: RSA, Medium (2048 bits) Version: #3 DN: C=US,O=Let's Encrypt,CN=R3 Issuer's DN: O=Digital Signature Trust Co.,CN=DST Root CA X3 Issuer's OID: 2.5.4.10 Issuer's UID: 2.5.4.10 ---- Ephemeral ECDH using curve (null) Key Exchange: ECDHE-RSA Protocol: TLS1.2 Certificate Type: X.509 Cipher: NULL MAC: MAC-NULL ---- 02.131809.443 closing connection Failed to connect: Certificate error 02.131809.443 host_final_failure: qsize=0 02.131809.443 set_exit_status(5) 02.131809.443 host_increase_failure: invisible-mirror.net failures=1 02.131809.443 [0] action=3 pending=1 host=0x8000a06a0 02.131809.443 released job https://invisible-mirror.net/archives/ 02.131809.443 [0] action=1 pending=0 host=0x0 02.131809.443 host invisible-mirror.net is blocked (qsize=1) 02.131809.443 main: wake up 02.131809.443 main: done 02.131809.450 Successfully updated '$HOME/.local/share/wget/.wget-ocsp_hosts'. 02.131809.451 Saved OCSP hosts to '$HOME/.local/share/wget/.wget-ocsp_hosts' 02.131809.457 Successfully updated '$HOME/.local/share/wget/.wget-ocsp'. 02.131809.458 Saved OCSP fingerprints to '$HOME/.local/share/wget/.wget-ocsp' 02.131809.458 blacklist https://invisible-mirror.net/archives/ ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ITA] ca-certificates 2021-10-02 15:48 ` Jon Turney 2021-10-02 16:37 ` Brian Inglis @ 2021-10-03 5:22 ` Achim Gratz 2021-10-03 8:27 ` Achim Gratz 2 siblings, 0 replies; 9+ messages in thread From: Achim Gratz @ 2021-10-03 5:22 UTC (permalink / raw) To: cygwin-apps Jon Turney writes: >> +# actually get the Fedora sources >> +# the output from git must not be seen by cygport… >> +git submodule update > /dev/null > > I think it's a scallywag bug that it doesn't currently checkout > packaging repository submodules, so let me try to fix that. I'd rather have proper support in cygport for importing foreign packaging via submodules (I'm not sure what's the best way to do that or I'd have offered a patch). It's fine if the CI gets smarter, but the packages should build locally as well without lots of manual intervention. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptation for Waldorf microQ V2.22R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ITA] ca-certificates 2021-10-02 15:48 ` Jon Turney 2021-10-02 16:37 ` Brian Inglis 2021-10-03 5:22 ` Achim Gratz @ 2021-10-03 8:27 ` Achim Gratz 2021-10-03 15:01 ` Jon Turney 2 siblings, 1 reply; 9+ messages in thread From: Achim Gratz @ 2021-10-03 8:27 UTC (permalink / raw) To: cygwin-apps Jon Turney writes: > I think it's a scallywag bug that it doesn't currently checkout > packaging repository submodules, so let me try to fix that. Doesn't seem to work: --8<---------------cut here---------------start------------->8--- Submodule 'fedora' (https://src.fedoraproject.org/rpms/ca-certificates.git) registered for path 'fedora' Cloning into '/cygdrive/c/projects/ca-certificates/fedora'... error: Server does not allow request for unadvertised object 00da4d0e2ad60757fe0901ae01a4423a31140bed fatal: Fetched in submodule path 'fedora', but it did not contain 00da4d0e2ad60757fe0901ae01a4423a31140bed. Direct fetching of that commit failed. scallywag: something went wrong cloning the package repo --8<---------------cut here---------------end--------------->8--- Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ITA] ca-certificates 2021-10-03 8:27 ` Achim Gratz @ 2021-10-03 15:01 ` Jon Turney 2021-10-03 15:43 ` Achim Gratz 0 siblings, 1 reply; 9+ messages in thread From: Jon Turney @ 2021-10-03 15:01 UTC (permalink / raw) To: cygwin-apps On 03/10/2021 09:27, Achim Gratz wrote: > Jon Turney writes: >> I think it's a scallywag bug that it doesn't currently checkout >> packaging repository submodules, so let me try to fix that. > > Doesn't seem to work: > > --8<---------------cut here---------------start------------->8--- > Submodule 'fedora' (https://src.fedoraproject.org/rpms/ca-certificates.git) registered for path 'fedora' > Cloning into '/cygdrive/c/projects/ca-certificates/fedora'... > error: Server does not allow request for unadvertised object 00da4d0e2ad60757fe0901ae01a4423a31140bed > fatal: Fetched in submodule path 'fedora', but it did not contain 00da4d0e2ad60757fe0901ae01a4423a31140bed. Direct fetching of that commit failed. > scallywag: something went wrong cloning the package repo > --8<---------------cut here---------------end--------------->8--- > Yeah, I did say 'try' because shallow cloning submodules is somewhat fraught, but I think I have it right now... I notice in passing that commit is a couple of years old and belongs to an EOL'ed Fedora version, so you might want to see if there are later commits which are more suitable? ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ITA] ca-certificates 2021-10-03 15:01 ` Jon Turney @ 2021-10-03 15:43 ` Achim Gratz 0 siblings, 0 replies; 9+ messages in thread From: Achim Gratz @ 2021-10-03 15:43 UTC (permalink / raw) To: cygwin-apps Jon Turney writes: > I notice in passing that commit is a couple of years old and belongs > to an EOL'ed Fedora version, so you might want to see if there are > later commits which are more suitable? WTH… somewhere along getting all the other stuff going the actual update seems to have gone missing. OK, I'll fix it up and re-release. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for KORG EX-800 and Poly-800MkII V0.9: http://Synth.Stromeko.net/Downloads.html#KorgSDada ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [ITA] ca-certificates 2021-10-02 13:56 [ITA] ca-certificates Achim Gratz 2021-10-02 15:48 ` Jon Turney @ 2021-10-02 18:54 ` Marco Atzeri 1 sibling, 0 replies; 9+ messages in thread From: Marco Atzeri @ 2021-10-02 18:54 UTC (permalink / raw) To: cygwin-apps On 02.10.2021 15:56, Achim Gratz wrote: > > This package by Yaakov is getting long in the tooth and one of my Perl > distributions is using it. Here's the change to pull it up to the > latest iteration from Fedora and make it compatible with the CI: > changed maintainer Thanks Marco ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-10-03 15:43 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-10-02 13:56 [ITA] ca-certificates Achim Gratz 2021-10-02 15:48 ` Jon Turney 2021-10-02 16:37 ` Brian Inglis 2021-10-02 19:38 ` Brian Inglis 2021-10-03 5:22 ` Achim Gratz 2021-10-03 8:27 ` Achim Gratz 2021-10-03 15:01 ` Jon Turney 2021-10-03 15:43 ` Achim Gratz 2021-10-02 18:54 ` Marco Atzeri
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).