Re: Emacs, GnuTLS, and DST Root CA X3
I followed the recent announcements, but unfortunately the problem persists. I tested on two computers, with the following ca-certificates versions: - ca-certificates-2.40-1 - ca-certificates-2.50-1 - ca-certificates-2.50-2 - ca-certificates-2.50-3 - ca-certificates-2.50-3 AND ca-certificates-letsencrypt-2.50-3 In all cases, the result was the same. >From the ca-certificates-letsencrypt-2.50-3 announcement: > It may be necessary to also remove trust for the already expired DST > X3 root CA I'm still trying to figure out _how_ to do this, although I'm not sure whether it should help my situation. I'll report back with the result. Some (non-Cygwin) Emacs users reported that GnuTLS >= 3.6.14 works. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Re: Emacs, GnuTLS, and DST Root CA X3
Good news! My problem is solved. > From the ca-certificates-letsencrypt-2.50-3 announcement: > > > It may be necessary to also remove trust for the already expired DST > > X3 root CA > > I'm still trying to figure out _how_ to do this, although I'm not sure > whether it should help my situation. I'll report back with the result. This did the trick. Regarding the outdated version of GnuTLS available in Cygwin, I see that these trust anchor changes constitute a workaround. Furthermore, I see that ca-certificates-2.50-4 and ca-certificates-letsencrypt-2.50-4 were released, which automate the above quoted process. Very nice! My final question would be if ca-certificates-letsencrypt will eventually be merged into ca-certificates? I am now happily browsing the web again in Cygwin Emacs. Thank you to this mailing list and those in IRC who helped me debug the problem. I learned a lot about certificate trust chains in the process! -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
Emacs, GnuTLS, and DST Root CA X3
Several days ago, root certificate "DST Root CA X3" expired, breaking TLS for many clients. I believe the lastest version of GnuTLS available on Cygwin (3.6.9, 2 years ago) is impacted. Is anyone able to publish a newer version of this package? This impacts me as I use Cygwin Emacs and can no longer open TLS connections to many hosts for the purposes of web browsing and newsgroups. I believe all other Cygwin Emacs users would be impacted also. Repro steps: 1. Install Cygwin default packages. 2. Install Cygwin package emacs-w32 27.2-1. 3. In Cygwin terminal: emacs -nw -Q 4. In Emacs: M-: (url-retrieve-synchronously "https://gnu.org;) Expected: Emacs should load webpage and return a buffer. Actual: Emacs network security manager says certificate expired/could not be verified. After discussing this in the #emacs Libera.chat IRC, the consensus was that the old GnuTLS version is to blame, and that a newer version would fix the problem. Does anyone have similar issues or tips on how to resolve? Thank you. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation:https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple