Re: Emacs, GnuTLS, and DST Root CA X3
Jib Style via Cygwin writes: > My final question would be if ca-certificates-letsencrypt will > eventually be merged into ca-certificates? No unless upstream choses to do that, which seems unlikely. The ca-certificates-letsencrypt package will be obsoleted as soon as certificates (or libraries / applications) that need the workaround cease to exist in the wild. I think the maximum lifetime of client certificates is 60 days, but the intermediate cert validity using the cross-signed chain that triggers this problem is much longer than that (for compatibility with older Android versions). Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ DIY Stuff: http://Synth.Stromeko.net/DIY.html -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Emacs, GnuTLS, and DST Root CA X3
Good news! My problem is solved. > From the ca-certificates-letsencrypt-2.50-3 announcement: > > > It may be necessary to also remove trust for the already expired DST > > X3 root CA > > I'm still trying to figure out _how_ to do this, although I'm not sure > whether it should help my situation. I'll report back with the result. This did the trick. Regarding the outdated version of GnuTLS available in Cygwin, I see that these trust anchor changes constitute a workaround. Furthermore, I see that ca-certificates-2.50-4 and ca-certificates-letsencrypt-2.50-4 were released, which automate the above quoted process. Very nice! My final question would be if ca-certificates-letsencrypt will eventually be merged into ca-certificates? I am now happily browsing the web again in Cygwin Emacs. Thank you to this mailing list and those in IRC who helped me debug the problem. I learned a lot about certificate trust chains in the process! -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Emacs, GnuTLS, and DST Root CA X3
I followed the recent announcements, but unfortunately the problem persists. I tested on two computers, with the following ca-certificates versions: - ca-certificates-2.40-1 - ca-certificates-2.50-1 - ca-certificates-2.50-2 - ca-certificates-2.50-3 - ca-certificates-2.50-3 AND ca-certificates-letsencrypt-2.50-3 In all cases, the result was the same. >From the ca-certificates-letsencrypt-2.50-3 announcement: > It may be necessary to also remove trust for the already expired DST > X3 root CA I'm still trying to figure out _how_ to do this, although I'm not sure whether it should help my situation. I'll report back with the result. Some (non-Cygwin) Emacs users reported that GnuTLS >= 3.6.14 works. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Emacs, GnuTLS, and DST Root CA X3
On 2021-10-05 02:22, Jib Style via Cygwin wrote: Several days ago, root certificate "DST Root CA X3" expired, breaking TLS for many clients. I believe the lastest version of GnuTLS available on Cygwin (3.6.9, 2 years ago) is impacted. Is anyone able to publish a newer version of this package? This impacts me as I use Cygwin Emacs and can no longer open TLS connections to many hosts for the purposes of web browsing and newsgroups. I believe all other Cygwin Emacs users would be impacted also. Repro steps: 1. Install Cygwin default packages. 2. Install Cygwin package emacs-w32 27.2-1. 3. In Cygwin terminal: emacs -nw -Q 4. In Emacs: M-: (url-retrieve-synchronously "https://gnu.org;) Expected: Emacs should load webpage and return a buffer. Actual: Emacs network security manager says certificate expired/could not be verified. After discussing this in the #emacs Libera.chat IRC, the consensus was that the old GnuTLS version is to blame, and that a newer version would fix the problem. Does anyone have similar issues or tips on how to resolve? Thank you. The latest ca-certificates package from Mozilla has been announced as re-released three times recently to attempt to address all the issues. Please read the latest mailing list announcement: [ANNOUNCEMENT] Updated: ca-certificates-2.50-3 https://cygwin.com/pipermail/cygwin/2021-October/249569.html -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in binary units and prefixes, physical quantities in SI.] -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
