Package: sitecopy
Version: 1:0.16.6-7
Severity: important
Tags: security
Hi!
I use sitecopy to update websites via webdav over SSL:
$ cat .sitecopyrc
[...]
protocol webdav
http secure
[...]
When the website uses a self-signed SSL certificate, I have to explicitly
check the fingerprint and accept the certificate. This is needed each
time the self-signed SSL certificate is renewed, but only once (until
the next renewal, of course).
This is nothing new or special about sitecopy. I am not aware of any
better way to handle self-signed certificates: I've seen the same
pattern in many many other programs...
On the other hand, when the website uses a CA-issued SSL certificate,
it seems that sitecopy is unable to automatically check the trust
chain from the CA to the certificate. As a consequence it again asks
the user to manually check the fingerprint and accept the certificate!
Just like with self-signed certificates!
It happened to me, when a website was migrated to use certificates issued
by Let's Encrypt [1]. The whole point of Let's Encrypt is to handle
the certificate issueing in an automated way: hence, the fingerprint
of the automatically renewed certificate is no longer published by
the website administrators. This means that, with sitecopy, the
security of the connection has in fact decreased, after the switch
from self-signed certificates to Let's Encrypt: the user has to hope
there is no man-in-the-middle attack on the first time he/she connects
to the website after each certificate renewal!
[1] https://letsencrypt.org/
The behavior I experienced seems to be a bug, since the sitecopy(1)
man page states:
[...]
The first time
SSL is used to access the server, the user will be prompted to verify
the SSL certificate, if it's not signed by a CA trusted in the system's
CA root bundle.
[...]
but sitecopy is apparently unable to check the trust chain from the
appropriate root CA to the certificate.
This chain seems to be
DST Root CA X3 → Let's Encrypt Authority X1 → <website_certificate>
and it seems to me that the DST Root CA X3 certificate is installed
on my system:
$ dpkg -L ca-certificates | grep -i DST
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
/usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt
Please investigate and fix this bug and/or forward my bug report
upstream, as appropriate.
Thanks for your time!
Bye.
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (800, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sitecopy depends on:
ii libc6 2.22-5
ii libneon27-gnutls 0.30.1-3
sitecopy recommends no packages.
sitecopy suggests no packages.
-- no debconf information
