gcc.gnu.org/sourceware.org SSL issues?

gcc.gnu.org/sourceware.org SSL issues?

[Maciej W. Rozycki]

Hi,

 I've been looking for a statement on this matter somewhere, like on the 
front pages, but found nothing so has this issue been known?  E.g. the 
last entry on http://sourceware.org/news.html is from 2005.

 Since about yesterday or maybe the day before I've been having problems 
accessing gcc.gnu.org and sourceware.org sites over SSL, first a security 
alert is raised about a domain mismatch like:

'You have attempted to establish a connection with "gcc.gnu.org". However, 
the security certificate presented belongs to "(cygwin.com , 
www.cygwin.com)". It is possible, though unlikely, that someone may be 
trying to intercept your communication with this web site.'

and then if I ignore this warning (knowing that cygwin.com is really the 
same machine; this used to be browser-version-specific for some reason and 
I used not to care because I don't send any sensitive information to these 
sites anyway, but now I get it with the newer version too) I get this:

'Error establishing an encrypted connection to gcc.gnu.org. Error Code: 
-8092.'

and the connection then terminates.  Looking up Google reveals that -8092 
corresponds to SEC_ERROR_KEYGEN_FAIL or "Unable to generate public-private 
key pair".

 Some parts of the sites are accessible unencrypted, however the bugzillas 
are not and the SSL issue therefore blocks some of my work.  I'll 
apreciate your assistance.

 Thanks,

  Maciej

Re: gcc.gnu.org/sourceware.org SSL issues?

[Andrew Pinski]

On Mon, Sep 1, 2014 at 7:47 PM, Maciej W. Rozycki
<macro@codesourcery.com> wrote:
> Hi,
>
>  I've been looking for a statement on this matter somewhere, like on the
> front pages, but found nothing so has this issue been known?  E.g. the
> last entry on http://sourceware.org/news.html is from 2005.
>
>  Since about yesterday or maybe the day before I've been having problems
> accessing gcc.gnu.org and sourceware.org sites over SSL, first a security
> alert is raised about a domain mismatch like:
>
> 'You have attempted to establish a connection with "gcc.gnu.org". However,
> the security certificate presented belongs to "(cygwin.com ,
> www.cygwin.com)". It is possible, though unlikely, that someone may be
> trying to intercept your communication with this web site.'
>
> and then if I ignore this warning (knowing that cygwin.com is really the
> same machine; this used to be browser-version-specific for some reason and
> I used not to care because I don't send any sensitive information to these
> sites anyway, but now I get it with the newer version too) I get this:
>
> 'Error establishing an encrypted connection to gcc.gnu.org. Error Code:
> -8092.'
>
> and the connection then terminates.  Looking up Google reveals that -8092
> corresponds to SEC_ERROR_KEYGEN_FAIL or "Unable to generate public-private
> key pair".
>
>  Some parts of the sites are accessible unencrypted, however the bugzillas
> are not and the SSL issue therefore blocks some of my work.  I'll
> apreciate your assistance.

What browser are you using?  I have heard some older browser does not
support the feature that gcc.gnu.org uses for SSL.

Thanks,
Andrew

>
>  Thanks,
>
>   Maciej

Re: gcc.gnu.org/sourceware.org SSL issues?

[Maciej W. Rozycki]

On Tue, 2 Sep 2014, Andrew Pinski wrote:

> >  I've been looking for a statement on this matter somewhere, like on the
> > front pages, but found nothing so has this issue been known?  E.g. the
> > last entry on http://sourceware.org/news.html is from 2005.
> >
> >  Since about yesterday or maybe the day before I've been having problems
> > accessing gcc.gnu.org and sourceware.org sites over SSL, first a security
> > alert is raised about a domain mismatch like:
> >
> > 'You have attempted to establish a connection with "gcc.gnu.org". However,
> > the security certificate presented belongs to "(cygwin.com ,
> > www.cygwin.com)". It is possible, though unlikely, that someone may be
> > trying to intercept your communication with this web site.'
> >
> > and then if I ignore this warning (knowing that cygwin.com is really the
> > same machine; this used to be browser-version-specific for some reason and
> > I used not to care because I don't send any sensitive information to these
> > sites anyway, but now I get it with the newer version too) I get this:
> >
> > 'Error establishing an encrypted connection to gcc.gnu.org. Error Code:
> > -8092.'
> >
> > and the connection then terminates.  Looking up Google reveals that -8092
> > corresponds to SEC_ERROR_KEYGEN_FAIL or "Unable to generate public-private
> > key pair".
> >
> >  Some parts of the sites are accessible unencrypted, however the bugzillas
> > are not and the SSL issue therefore blocks some of my work.  I'll
> > apreciate your assistance.
> 
> What browser are you using?  I have heard some older browser does not
> support the feature that gcc.gnu.org uses for SSL.

 I switch between two versions of Firefox (or Iceape/Iceweasel which is 
how Debian prefers to call it): `Iceape 1.0.9' is my usual choice and for 
sites that are picky/weird I use `Firefox 3.5.19', both according to 
Help->About.

 As I say, till the last weekend all worked just fine.  Hmm, perhaps I 
should switch to Lynx -- I just tried it and it seems just fine, though I 
find accessing bugzilla with it mildly inconvenient.

 Thanks,

  Maciej

Re: gcc.gnu.org/sourceware.org SSL issues?

[Hans-Peter Nilsson]

On Tue, 2 Sep 2014, Maciej W. Rozycki wrote:
> 'You have attempted to establish a connection with "gcc.gnu.org". However,
> the security certificate presented belongs to "(cygwin.com ,
> www.cygwin.com)". It is possible, though unlikely, that someone may be
> trying to intercept your communication with this web site.'

(This is the SNI issue, I see it but I'm not concerned.)

> and then if I ignore this warning (knowing that cygwin.com is really the
> same machine; this used to be browser-version-specific for some reason and
> I used not to care because I don't send any sensitive information to these
> sites anyway, but now I get it with the newer version too) I get this:
>
> 'Error establishing an encrypted connection to gcc.gnu.org. Error Code:
> -8092.'
>
> and the connection then terminates.  Looking up Google reveals that -8092
> corresponds to SEC_ERROR_KEYGEN_FAIL or "Unable to generate public-private
> key pair".

Exactly the same thing I see, as mentioned last Thursday here.
Thanks for bringing it up; then I know it's not just me.
If you find a work-around other than lynx or upgrading, do tell.

It would be nice to know *what* has changed in the setup.
(Is only AES 256-bit allowed these days?  Pointer to advisory?)

Again, AFAIK this is separate to the SNI issue.

brgds, H-P

Re: gcc.gnu.org/sourceware.org SSL issues?

[Gerald Pfeifer]

On Tue, 2 Sep 2014, Maciej W. Rozycki wrote:
> I switch between two versions of Firefox (or Iceape/Iceweasel which is 
> how Debian prefers to call it): `Iceape 1.0.9' is my usual choice and for 
> sites that are picky/weird I use `Firefox 3.5.19', both according to 
> Help->About.

Firefox 3.6 was released early in 2010, four-and-a-half years ago;
is using a current version (not) an option?

Gerald

Re: gcc.gnu.org/sourceware.org SSL issues?

[Maciej W. Rozycki]

On Tue, 2 Sep 2014, Gerald Pfeifer wrote:

> > I switch between two versions of Firefox (or Iceape/Iceweasel which is 
> > how Debian prefers to call it): `Iceape 1.0.9' is my usual choice and for 
> > sites that are picky/weird I use `Firefox 3.5.19', both according to 
> > Help->About.
> 
> Firefox 3.6 was released early in 2010, four-and-a-half years ago;
> is using a current version (not) an option?

 As far as rebuilding from sources -- it certainly is.  Question is: can I 
afford it?  I keep using 1.0.9 as my default browser, it's just got the 
right pieces in the right places, unlike any later versions.  Why do 
people writing this software think along bug fixes and engine updates they 
absolutely must change the UI as well?

 Anyway the warning has disappeared with 3.5.19 now and things work past 
that point, so I think I'm set, at least till the next issue, that is. ;)

 Thanks,

  Maciej

Re: gcc.gnu.org/sourceware.org SSL issues?

[Joseph S. Myers]

On Tue, 2 Sep 2014, Maciej W. Rozycki wrote:

> 'You have attempted to establish a connection with "gcc.gnu.org". However, 
> the security certificate presented belongs to "(cygwin.com , 
> www.cygwin.com)". It is possible, though unlikely, that someone may be 
> trying to intercept your communication with this web site.'

This seems like the SNI issue.  It seems that with SeaMonkey/Iceape you 
need at least version 1.1b for SNI support; 1.0.9 is too old.

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: gcc.gnu.org/sourceware.org SSL issues?

[Maciej W. Rozycki]

On Tue, 2 Sep 2014, Hans-Peter Nilsson wrote:

> It would be nice to know *what* has changed in the setup.
> (Is only AES 256-bit allowed these days?  Pointer to advisory?)

 256-bit AES is on the list of available (and enabled) ciphers in my 1.0.9 
browser, so it must be something else.  As to 3.5.19 I don't know offhand 
how to figure out which ciphers it supports let alone disable them or 
enable (speaking of UI changes...).

  Maciej