[ITA] ca-certificates

[ITA] ca-certificates

[Achim Gratz]

This package by Yaakov is getting long in the tooth and one of my Perl
distributions is using it.  Here's the change to pull it up to the
latest iteration from Fedora and make it compatible with the CI:

https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf rackAttack:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

Re: [ITA] ca-certificates

[Jon Turney]

On 02/10/2021 14:56, Achim Gratz wrote:
> 
> This package by Yaakov is getting long in the tooth and one of my Perl
> distributions is using it.  Here's the change to pull it up to the
> latest iteration from Fedora and make it compatible with the CI:
> 
> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd

> +# actually get the Fedora sources
> +# the output from git must not be seen by cygport…
> +git submodule update > /dev/null

I think it's a scallywag bug that it doesn't currently checkout 
packaging repository submodules, so let me try to fix that.

Re: [ITA] ca-certificates

[Brian Inglis]

[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]

On 2021-10-02 09:48, Jon Turney wrote:
> On 02/10/2021 14:56, Achim Gratz wrote:
>>
>> This package by Yaakov is getting long in the tooth and one of my Perl
>> distributions is using it.  Here's the change to pull it up to the
>> latest iteration from Fedora and make it compatible with the CI:
>>
>> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd 
>>
> 
>> +# actually get the Fedora sources
>> +# the output from git must not be seen by cygport…
>> +git submodule update > /dev/null
> 
> I think it's a scallywag bug that it doesn't currently checkout 
> packaging repository submodules, so let me try to fix that.

Very timely gentlemen, as it could eliminate or help mitigate the below:

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

OpenSSL 1.0.2 packages are now hitting this - see attached log.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

[-- Attachment #2: lynx-noaccess.log --]
[-- Type: text/plain, Size: 2252 bytes --]

$ for url in https://curl.se/download/ http://curl.se/download/ \
	https://libssh2.org/download/ http://libssh2.org/download/;
  do
	lynx -dump -nolist -nonumbers $url;
  done

Looking up curl.se
Making HTTPS connection to curl.se
SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0
Retrying connection without TLS.
Looking up curl.se
Making HTTPS connection to curl.se
SSL callback:ok, preverify_ok=1, ssl_okay=0
SSL callback:ok, preverify_ok=1, ssl_okay=0
SSL callback:ok, preverify_ok=1, ssl_okay=0

lynx: Can't access startfile https://curl.se/download/

Looking up curl.se
Making HTTP connection to curl.se
Sending HTTP request.
HTTP request sent; waiting for response.
HTTP/1.1 301 Moved Permanently
Data transfer complete
HTTP/1.1 301 Moved Permanently
Using https://curl.se/download/
Looking up curl.se
Making HTTPS connection to curl.se
SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0
Retrying connection without TLS.
Looking up curl.se
Making HTTPS connection to curl.se
SSL callback:ok, preverify_ok=1, ssl_okay=0
SSL callback:ok, preverify_ok=1, ssl_okay=0
SSL callback:ok, preverify_ok=1, ssl_okay=0

lynx: Can't access startfile http://curl.se/download/

Looking up libssh2.org
Making HTTPS connection to libssh2.org
SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0
Retrying connection without TLS.
Looking up libssh2.org
Making HTTPS connection to libssh2.org
SSL callback:self signed certificate, preverify_ok=0, ssl_okay=0
Alert!: Unable to make secure connection to remote host.

lynx: Can't access startfile https://libssh2.org/download/

Looking up libssh2.org
Making HTTP connection to libssh2.org
Sending HTTP request.
HTTP request sent; waiting for response.
HTTP/1.1 301 Moved Permanently
Data transfer complete
HTTP/1.1 301 Moved Permanently
Using https://libssh2.org/download/
Looking up libssh2.org
Making HTTPS connection to libssh2.org
SSL callback:certificate has expired, preverify_ok=0, ssl_okay=0
Retrying connection without TLS.
Looking up libssh2.org
Making HTTPS connection to libssh2.org
SSL callback:self signed certificate, preverify_ok=0, ssl_okay=0
Alert!: Unable to make secure connection to remote host.

lynx: Can't access startfile http://libssh2.org/download/

Re: [ITA] ca-certificates

[Marco Atzeri]

On 02.10.2021 15:56, Achim Gratz wrote:
> 
> This package by Yaakov is getting long in the tooth and one of my Perl
> distributions is using it.  Here's the change to pull it up to the
> latest iteration from Fedora and make it compatible with the CI:
> 

changed maintainer
Thanks
Marco

Re: [ITA] ca-certificates

[Brian Inglis]

[-- Attachment #1: Type: text/plain, Size: 2021 bytes --]

On 2021-10-02 10:37, Brian Inglis wrote:
> On 2021-10-02 09:48, Jon Turney wrote:
>> On 02/10/2021 14:56, Achim Gratz wrote:
>>>
>>> This package by Yaakov is getting long in the tooth and one of my Perl
>>> distributions is using it.  Here's the change to pull it up to the
>>> latest iteration from Fedora and make it compatible with the CI:
>>>
>>> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd 
>>>
>>
>>> +# actually get the Fedora sources
>>> +# the output from git must not be seen by cygport…
>>> +git submodule update > /dev/null
>>
>> I think it's a scallywag bug that it doesn't currently checkout 
>> packaging repository submodules, so let me try to fix that.
> 
> Very timely gentlemen, as it could eliminate or help mitigate the below:
> 
> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
> 
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
> 
> OpenSSL 1.0.2 packages are now hitting this - see attached log.

Oh-oh!
Seems a bit more widespread than that.
Please see attached log for dumps from all the below:

$ cygcheck wget wget2 curl | egrep \
	'^\s*C:/.*/bin/.*(crypto|exe|gpg|krb|ss[hl]|tls)'
C:/.../bin/wget.exe
   C:/.../bin/cyggnutls-30.dll
   C:/.../bin/cyggpgme-11.dll
       C:/.../bin/cyggpg-error-0.dll
C:/.../bin/wget2.exe
     C:/.../bin/cyggnutls-30.dll
   C:/.../bin/cyggpgme-11.dll
       C:/.../bin/cyggpg-error-0.dll
C:/.../bin/curl.exe
     C:/.../bin/cygcrypto-1.1.dll
         C:/.../bin/cyggpg-error-0.dll
       C:/.../bin/cyggssapi_krb5-2.dll
         C:/.../bin/cygk5crypto-3.dll
           C:/.../bin/cygkrb5support-0.dll
         C:/.../bin/cygkrb5-3.dll
       C:/.../bin/cygssl-1.1.dll
     C:/.../bin/cygssh2-1.dll

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]

[-- Attachment #2: cert-issues.log --]
[-- Type: text/plain, Size: 6200 bytes --]

$ wget -dv https://invisible-mirror.net/archives/
Setting --verbose (verbose) to 1
DEBUG output created by Wget 1.21.1 on cygwin.

Reading HSTS entries from $HOME/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2021-10-02 13:18:02--  https://invisible-mirror.net/archives/
Certificates loaded: 167
Resolving invisible-mirror.net (invisible-mirror.net)... 160.153.42.69
Caching invisible-mirror.net => 160.153.42.69
Connecting to invisible-mirror.net (invisible-mirror.net)|160.153.42.69|:443... connected.
Created socket 3.
Releasing 0x00000008001febb0 (new refcount 1).
ERROR: The certificate of ‘invisible-mirror.net’ is not trusted.
ERROR: The certificate of ‘invisible-mirror.net’ has expired.
$ 
$ curl -Iv --trace-ascii - https://invisible-mirror.net/archives/
Warning: --trace-ascii overrides an earlier trace/verbose option
== Info: STATE: INIT => CONNECT handle 0x8000bf178; line 1789 (connection #-5000)
== Info: Added connection 0. The cache now contains 1 members
== Info: STATE: CONNECT => RESOLVING handle 0x8000bf178; line 1835 (connection #0)
== Info: family0 == v4, family1 == v6
== Info:   Trying 160.153.42.69:443...
== Info: STATE: RESOLVING => CONNECTING handle 0x8000bf178; line 1917 (connection #0)
== Info: Connected to invisible-mirror.net (160.153.42.69) port 443 (#0)
== Info: STATE: CONNECTING => PROTOCONNECT handle 0x8000bf178; line 1980 (connection #0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info:  CAfile: /etc/pki/tls/certs/ca-bundle.crt
== Info:  CApath: none
== Info: Didn't find Session ID in cache for host HTTPS://invisible-mirror.net:443
=> Send SSL data, 5 bytes (0x5)
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
== Info: STATE: PROTOCONNECT => PROTOCONNECTING handle 0x8000bf178; line 2000 (connection #0)
<= Recv SSL data, 5 bytes (0x5)
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 106 bytes (0x6a)
<= Recv SSL data, 5 bytes (0x5)
== Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 2472 bytes (0x9a8)
=> Send SSL data, 5 bytes (0x5)
== Info: TLSv1.2 (OUT), TLS alert, certificate expired (557):
=> Send SSL data, 2 bytes (0x2)
== Info: SSL certificate problem: certificate has expired
== Info: multi_done
== Info: The cache now contains 0 members
== Info: Closing connection 0
== Info: Expire cleared (transfer 0x8000bf178)
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ 
$ wget2 -dv https://invisible-mirror.net/archives/
02.131808.926 Local URI encoding = 'UTF-8'
02.131808.927 Input URI encoding = 'UTF-8'
02.131808.947 Fetched HSTS data from '$HOME/.local/share/wget/.wget-hsts'
02.131808.950 Fetched HPKP data from '$HOME/.local/share/wget/.wget-hpkp'
02.131808.953 Fetched OCSP hosts from '$HOME/.local/share/wget/.wget-ocsp_hosts'
02.131808.956 Fetched OCSP fingerprints from '$HOME/.local/share/wget/.wget-ocsp'
02.131808.956 set_exit_status(0)
02.131808.956 *url =
02.131808.956 *3 https://invisible-mirror.net/archives/
02.131808.956 local filename = 'index.html'
02.131808.956 host_add_job: job fname index.html
02.131808.956 host_add_job: 0x8000a0720 https://invisible-mirror.net/archives/
02.131808.956 host_add_job: qsize 1 host-qsize=1
02.131808.956 queue_size: qsize=1
02.131808.956 queue_size: qsize=1
02.131808.957 queue_size: qsize=1
02.131808.957 [0] action=1 pending=0 host=0x0
02.131808.957 dequeue job https://invisible-mirror.net/archives/
02.131808.957 resolving invisible-mirror.net:443...
02.131808.991 has 160.153.42.69:443
02.131808.991 trying 160.153.42.69:443...
02.131808.992 GnuTLS init
02.131809.130 GnuTLS system certificate store is empty
02.131809.130 Certificates loaded: 167
02.131809.131 GnuTLS init done
02.131809.131 TLS False Start requested
02.131809.131 ALPN offering h2
02.131809.131 ALPN offering http/1.1
ERROR: The certificate is NOT trusted. The certificate chain uses expired certificate.
02.131809.442 gnutls_handshake: (-43) Error in the certificate. (errno=11)
02.131809.442 ALPN: Server accepted protocol 'h2'
----
Certificate info [0]:
  Valid since: 2021 Aug 01 Sun 11:19:48
  Expires: 2021 Oct 30 Sat 11:19:46
  Fingerprint: 5f45fb6a2fb7799fd180c574e6756eb6
  Serial number: 5f45fb6a2fb7799fd180c574e6756eb6
  Public key: RSA, Medium (2048 bits)
  Version: #3
  DN: CN=invisible-mirror.net
  Issuer's DN: C=US,O=Let's Encrypt,CN=R3
  Issuer's OID: 2.5.4.6
  Issuer's UID: 2.5.4.6
Certificate info [1]:
  Valid since: 2020 Oct 07 Wed 13:21:40
  Expires: 2021 Sep 29 Wed 13:21:40
  Fingerprint: 312128f5a0ed7ba54b6582928756ba83
  Serial number: 312128f5a0ed7ba54b6582928756ba83
  Public key: RSA, Medium (2048 bits)
  Version: #3
  DN: C=US,O=Let's Encrypt,CN=R3
  Issuer's DN: O=Digital Signature Trust Co.,CN=DST Root CA X3
  Issuer's OID: 2.5.4.10
  Issuer's UID: 2.5.4.10
----
Ephemeral ECDH using curve (null)
Key Exchange: ECDHE-RSA
Protocol: TLS1.2
Certificate Type: X.509
Cipher: NULL
MAC: MAC-NULL
----
02.131809.443 closing connection
Failed to connect: Certificate error
02.131809.443 host_final_failure: qsize=0
02.131809.443 set_exit_status(5)
02.131809.443 host_increase_failure: invisible-mirror.net failures=1
02.131809.443 [0] action=3 pending=1 host=0x8000a06a0
02.131809.443 released job https://invisible-mirror.net/archives/
02.131809.443 [0] action=1 pending=0 host=0x0
02.131809.443 host invisible-mirror.net is blocked (qsize=1)
02.131809.443 main: wake up
02.131809.443 main: done
02.131809.450 Successfully updated '$HOME/.local/share/wget/.wget-ocsp_hosts'.
02.131809.451 Saved OCSP hosts to '$HOME/.local/share/wget/.wget-ocsp_hosts'
02.131809.457 Successfully updated '$HOME/.local/share/wget/.wget-ocsp'.
02.131809.458 Saved OCSP fingerprints to '$HOME/.local/share/wget/.wget-ocsp'
02.131809.458 blacklist https://invisible-mirror.net/archives/

Re: [ITA] ca-certificates

[Achim Gratz]

Jon Turney writes:
>> +# actually get the Fedora sources
>> +# the output from git must not be seen by cygport…
>> +git submodule update > /dev/null
>
> I think it's a scallywag bug that it doesn't currently checkout
> packaging repository submodules, so let me try to fix that.

I'd rather have proper support in cygport for importing foreign
packaging via submodules (I'm not sure what's the best way to do that or
I'd have offered a patch).  It's fine if the CI gets smarter, but the
packages should build locally as well without lots of manual
intervention.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf microQ V2.22R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

Re: [ITA] ca-certificates

[Achim Gratz]

Jon Turney writes:
> I think it's a scallywag bug that it doesn't currently checkout
> packaging repository submodules, so let me try to fix that.

Doesn't seem to work:

--8<---------------cut here---------------start------------->8---
Submodule 'fedora' (https://src.fedoraproject.org/rpms/ca-certificates.git) registered for path 'fedora'
Cloning into '/cygdrive/c/projects/ca-certificates/fedora'...
error: Server does not allow request for unadvertised object 00da4d0e2ad60757fe0901ae01a4423a31140bed
fatal: Fetched in submodule path 'fedora', but it did not contain 00da4d0e2ad60757fe0901ae01a4423a31140bed. Direct fetching of that commit failed.
scallywag: something went wrong cloning the package repo
--8<---------------cut here---------------end--------------->8---


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

Re: [ITA] ca-certificates

[Jon Turney]

On 03/10/2021 09:27, Achim Gratz wrote:
> Jon Turney writes:
>> I think it's a scallywag bug that it doesn't currently checkout
>> packaging repository submodules, so let me try to fix that.
> 
> Doesn't seem to work:
> 
> --8<---------------cut here---------------start------------->8---
> Submodule 'fedora' (https://src.fedoraproject.org/rpms/ca-certificates.git) registered for path 'fedora'
> Cloning into '/cygdrive/c/projects/ca-certificates/fedora'...
> error: Server does not allow request for unadvertised object 00da4d0e2ad60757fe0901ae01a4423a31140bed
> fatal: Fetched in submodule path 'fedora', but it did not contain 00da4d0e2ad60757fe0901ae01a4423a31140bed. Direct fetching of that commit failed.
> scallywag: something went wrong cloning the package repo
> --8<---------------cut here---------------end--------------->8---
> 

Yeah, I did say 'try' because shallow cloning submodules is somewhat 
fraught, but I think I have it right now...

I notice in passing that commit is a couple of years old and belongs to 
an EOL'ed Fedora version, so you might want to see if there are later 
commits which are more suitable?

Re: [ITA] ca-certificates

[Achim Gratz]

Jon Turney writes:
> I notice in passing that commit is a couple of years old and belongs
> to an EOL'ed Fedora version, so you might want to see if there are
> later commits which are more suitable?

WTH… somewhere along getting all the other stuff going the actual update
seems to have gone missing.  OK, I'll fix it up and re-release.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for KORG EX-800 and Poly-800MkII V0.9:
http://Synth.Stromeko.net/Downloads.html#KorgSDada