* Emacs, GnuTLS, and DST Root CA X3
@ 2021-10-05 8:22 Jib Style
2021-10-06 7:08 ` Brian Inglis
0 siblings, 1 reply; 5+ messages in thread
From: Jib Style @ 2021-10-05 8:22 UTC (permalink / raw)
To: cygwin
Several days ago, root certificate "DST Root CA X3" expired, breaking
TLS for many clients. I believe the lastest version of GnuTLS available
on Cygwin (3.6.9, 2 years ago) is impacted. Is anyone able to publish a
newer version of this package?
This impacts me as I use Cygwin Emacs and can no longer open TLS
connections to many hosts for the purposes of web browsing and
newsgroups. I believe all other Cygwin Emacs users would be impacted
also.
Repro steps:
1. Install Cygwin default packages.
2. Install Cygwin package emacs-w32 27.2-1.
3. In Cygwin terminal: emacs -nw -Q
4. In Emacs: M-: (url-retrieve-synchronously "https://gnu.org")
Expected: Emacs should load webpage and return a buffer.
Actual: Emacs network security manager says certificate expired/could
not be verified.
After discussing this in the #emacs Libera.chat IRC, the consensus was
that the old GnuTLS version is to blame, and that a newer version would
fix the problem.
Does anyone have similar issues or tips on how to resolve? Thank you.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Emacs, GnuTLS, and DST Root CA X3
2021-10-05 8:22 Emacs, GnuTLS, and DST Root CA X3 Jib Style
@ 2021-10-06 7:08 ` Brian Inglis
2021-10-06 12:25 ` Jib Style
0 siblings, 1 reply; 5+ messages in thread
From: Brian Inglis @ 2021-10-06 7:08 UTC (permalink / raw)
To: cygwin; +Cc: Jib Style
On 2021-10-05 02:22, Jib Style via Cygwin wrote:
> Several days ago, root certificate "DST Root CA X3" expired, breaking
> TLS for many clients. I believe the lastest version of GnuTLS available
> on Cygwin (3.6.9, 2 years ago) is impacted. Is anyone able to publish a
> newer version of this package?
>
> This impacts me as I use Cygwin Emacs and can no longer open TLS
> connections to many hosts for the purposes of web browsing and
> newsgroups. I believe all other Cygwin Emacs users would be impacted
> also.
>
> Repro steps:
> 1. Install Cygwin default packages.
> 2. Install Cygwin package emacs-w32 27.2-1.
> 3. In Cygwin terminal: emacs -nw -Q
> 4. In Emacs: M-: (url-retrieve-synchronously "https://gnu.org")
>
> Expected: Emacs should load webpage and return a buffer.
> Actual: Emacs network security manager says certificate expired/could
> not be verified.
>
> After discussing this in the #emacs Libera.chat IRC, the consensus was
> that the old GnuTLS version is to blame, and that a newer version would
> fix the problem.
>
> Does anyone have similar issues or tips on how to resolve? Thank you.
The latest ca-certificates package from Mozilla has been announced as
re-released three times recently to attempt to address all the issues.
Please read the latest mailing list announcement:
[ANNOUNCEMENT] Updated: ca-certificates-2.50-3
https://cygwin.com/pipermail/cygwin/2021-October/249569.html
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Emacs, GnuTLS, and DST Root CA X3
2021-10-06 7:08 ` Brian Inglis
@ 2021-10-06 12:25 ` Jib Style
2021-10-06 23:33 ` Jib Style
0 siblings, 1 reply; 5+ messages in thread
From: Jib Style @ 2021-10-06 12:25 UTC (permalink / raw)
To: cygwin
I followed the recent announcements, but unfortunately the problem
persists.
I tested on two computers, with the following ca-certificates versions:
- ca-certificates-2.40-1
- ca-certificates-2.50-1
- ca-certificates-2.50-2
- ca-certificates-2.50-3
- ca-certificates-2.50-3 AND ca-certificates-letsencrypt-2.50-3
In all cases, the result was the same.
From the ca-certificates-letsencrypt-2.50-3 announcement:
> It may be necessary to also remove trust for the already expired DST
> X3 root CA
I'm still trying to figure out _how_ to do this, although I'm not sure
whether it should help my situation. I'll report back with the result.
Some (non-Cygwin) Emacs users reported that GnuTLS >= 3.6.14 works.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Emacs, GnuTLS, and DST Root CA X3
2021-10-06 12:25 ` Jib Style
@ 2021-10-06 23:33 ` Jib Style
2021-10-07 6:19 ` ASSI
0 siblings, 1 reply; 5+ messages in thread
From: Jib Style @ 2021-10-06 23:33 UTC (permalink / raw)
To: cygwin
Good news! My problem is solved.
> From the ca-certificates-letsencrypt-2.50-3 announcement:
>
> > It may be necessary to also remove trust for the already expired DST
> > X3 root CA
>
> I'm still trying to figure out _how_ to do this, although I'm not sure
> whether it should help my situation. I'll report back with the result.
This did the trick.
Regarding the outdated version of GnuTLS available in Cygwin, I see that
these trust anchor changes constitute a workaround.
Furthermore, I see that ca-certificates-2.50-4 and
ca-certificates-letsencrypt-2.50-4 were released, which automate the
above quoted process. Very nice! My final question would be if
ca-certificates-letsencrypt will eventually be merged into
ca-certificates?
I am now happily browsing the web again in Cygwin Emacs. Thank you to
this mailing list and those in IRC who helped me debug the problem. I
learned a lot about certificate trust chains in the process!
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Emacs, GnuTLS, and DST Root CA X3
2021-10-06 23:33 ` Jib Style
@ 2021-10-07 6:19 ` ASSI
0 siblings, 0 replies; 5+ messages in thread
From: ASSI @ 2021-10-07 6:19 UTC (permalink / raw)
To: cygwin
Jib Style via Cygwin writes:
> My final question would be if ca-certificates-letsencrypt will
> eventually be merged into ca-certificates?
No unless upstream choses to do that, which seems unlikely. The
ca-certificates-letsencrypt package will be obsoleted as soon as
certificates (or libraries / applications) that need the workaround
cease to exist in the wild. I think the maximum lifetime of client
certificates is 60 days, but the intermediate cert validity using the
cross-signed chain that triggers this problem is much longer than that
(for compatibility with older Android versions).
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
DIY Stuff:
http://Synth.Stromeko.net/DIY.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-07 6:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-05 8:22 Emacs, GnuTLS, and DST Root CA X3 Jib Style
2021-10-06 7:08 ` Brian Inglis
2021-10-06 12:25 ` Jib Style
2021-10-06 23:33 ` Jib Style
2021-10-07 6:19 ` ASSI
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).