Bug#845989: [Pkg-privacy-maintainers] Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)
Hi all, > For the record, I can still reproduce this in Debian jessie, which is > pretty bad - shouldn't a stable update be shipped for this already? > I just installed a fresh copy of jessie and tried to use the torbrowser-launcher and ran into the same issue. Does anyone know what the workaround is for jessie? We should at least document it in the wiki[1] so that future users are able get this to work properly. Best, Lev [1] https://wiki.debian.org/TorBrowser
Bug#845989: [Pkg-privacy-maintainers] Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)
On Sun, Nov 27, 2016 at 12:36:05PM -0500, Antoine Beaupré wrote: > On 2016-11-27 11:16:11, Holger Levsen wrote: > > On Sun, Nov 27, 2016 at 10:39:16AM -0500, Antoine Beaupré wrote: > >> > … you've been attacked. > >> I beg to disagree. I doubt that M. Kshevetskiy has been, in this case, > >> individually targeted for attack. > > > > me too. and I never said he had been individually been attacked. I just > > said he had been attacked. > > Good point. > > It's just the error message explicitly says "you". :) > > >> I am reopening this bug. It has been forwarded upstream, where I have > >> brought more suggestions on how to improve the user experience here. > > > > I'd suggest downgrade to important (at max, probably normal is better) > > and maybe also to tag it as "unreproducible" (as its not reliable > > reproducible…) so that the package doesnt get kicked out of testing… > > That's fine with me! For the record, I can still reproduce this in Debian jessie, which is pretty bad - shouldn't a stable update be shipped for this already? Things seem fine in stretch, however. A. -- In serious work commanding and discipline are of little avail. - Peter Kropotkin signature.asc Description: PGP signature
Bug#845989: [Pkg-privacy-maintainers] Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)
Hello, look like the problem is caused by missing "DigiCert SHA2 High Assurance Server CA" certificate on my debian testing system. (I check the same on other computer with debian stable and it was OK). Look below and pay attention to messages: 1) unable to get local issuer certificate 2) Verify return code: 20 (unable to get local issuer certificate) This results in failing of python OpenSSL library and finished by "You may be under attack" message during initial installation of torbrowser. kl@flywind:~$ openssl s_client -connect dist.torproject.org:443 CONNECTED(0003) depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=US/ST=Massachusetts/L=Cambridge/O=The Tor Project, Inc./ CN=*.torproject.org i:/C=US/O=DigiCert Inc/OU=www.digicert.com/ CN=DigiCert SHA2 High Assurance Server CA 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/ CN=DigiCert SHA2 High Assurance Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/ CN=DigiCert High Assurance EV Root CA --- Server certificate -BEGIN CERTIFICATE- MIIFaTCCBFGgAwIBAgIQDGnVmapHXfa3m9oYQq3WQTANBgkqhkiG9w0BAQsFADBw MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA0MTUwMDAwMDBaFw0xOTA1MjkxMjAwMDBa MHQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQH EwlDYW1icmlkZ2UxHjAcBgNVBAoTFVRoZSBUb3IgUHJvamVjdCwgSW5jLjEZMBcG A1UEAwwQKi50b3Jwcm9qZWN0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALcjOe3IaIUn5YEOnAAM+uIlKm0HyHUaR6rwU0m5YhdSV8DRGUB80Q67 zkIbutTMbEla8KpPSqsK/FShSXhLWB6Hv5UV2jR6/Pzxi8QaLMMAuLT5oHCkR6Jn LFZrUtPq50RmhYfg15kwosmEzPqLa3NDcK5tpTX5F48DvBT+0aCZQLndKGzVhiJI pEJdfTc69b1i4xGyhzp4ChUFDtmK9MRZFRvDFl4ZaVBe2haw/+1kemGwh5UuaD+P DqTJl+xwQdUCrKWBgwnOVLJKqrp2/Yc0mkkTFXqdUD1BS+wgvCDi64f7ndyyTQgb 8IWoWEeF6KHbiFZLVR/puH64cbyRF8cCAwEAAaOCAfkwggH1MB8GA1UdIwQYMBaA FFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBSCJgjxEylVNBS0j4Adcbhg 2ktBzDArBgNVHREEJDAighAqLnRvcnByb2plY3Qub3Jngg50b3Jwcm9qZWN0Lm9y ZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEy LWhhLXNlcnZlci1nNS5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv bS9zaGEyLWhhLXNlcnZlci1nNS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZn gQwBAgIwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au ZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2Vy dC5jb20vRGlnaUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNV HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCwURSDN25h03L4cN8+FFi6ZbzP OxIh8GgLKljF2nO/qW8gjKIOUgNizf99lsnn7YaYPCr8W9IZQBp64aWsWwuWZ3w8 bRhklFCmgHhDFeLCqmScYwxYlCmSL2qRe8Dus4t8Axse7LEni6KcOFA3Dtssc3MA jv30cEvGJru0mcogoMh8O04hmWZfC1EiyBLDDb5mBhijtMN+SbNQSr53mZWTgMXh luVXp48Z8RTrOdLJ03ArAh2gfpOLUz3eGmynpTFPz+l3V3yRHyoeWFiZUbm0ePnx 1HyeNR3onMNJC/tbYIBNoz/tIEPpFqJ1P3AT8q+uy/OQR4DEoG3f3Syq1pBG -END CERTIFICATE- subject=/C=US/ST=Massachusetts/L=Cambridge/O=The Tor Project, Inc./ CN=*.torproject.org issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/ CN=DigiCert SHA2 High Assurance Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3283 bytes and written 302 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 610A3292E75EEFA38CA322D9C34ECA27C18D2E02E8200DD9DA8009BB4E99B654 Session-ID-ctx: Master-Key: F285EAAFB2AAE5CA3E495A1C8FE7D216CA9CADD366212077D823940DF9B4831C6E967B0C4989E75FBEE35877ADE5F015 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 3f d5 f2 67 6e 36 33 ab-8d 21 f1 68 0a cd 70 73 ?..gn63..!.h..ps 0010 - 5b 59 e8 6d 55 ec 18 71-fa 58 0f 19 3f b6 0f d8 [Y.mU..q.X..?... 0020 - af b1 95 57 8d fb b6 bc-49 09 7a 4b 7e 11 b0 96 ...WI.zK~... 0030 - 8c f3 6f 7e cd db 2e 40-2c 59 d7 5c 60 85 fa 78 ..o~...@,Y.\`..x 0040 - 93 2b 5c a1 63 e2 3e 28-e8 e1 7a 09 c7 34 ed 09 .+\.c.>(..z..4.. 0050 - 4e d0 54 82 ab cd 7e 35-e1 ee 3b 34 40 b1 e8 2e N.T...~5..;4@... 0060 - 19 2b 5b 3f b6 ca 36 8f-a1 e7 fe fa ff 99 db ff .+[?..6. 0070 - 3f 2b bb 59 bc 91 d0 0d-2e a9 3b 86 e8 6e 05 11 ?+.Y..;..n.. 0080 - f6 fc 5b c3 af 75 16 1f-f7 00 63 ab c3 97 6f 89 ..[..uc...o. 0090 - f8 bb be 16 f2 13 d9 5c-4d 62 23 4f c3 3c c1 b0 ...\Mb#O.<.. 00a0 - 70 c2 ad cc 54 e9 3e
Bug#845989: [Pkg-privacy-maintainers] Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)
On 2016-11-27 11:16:11, Holger Levsen wrote: > On Sun, Nov 27, 2016 at 10:39:16AM -0500, Antoine Beaupré wrote: >> > … you've been attacked. >> I beg to disagree. I doubt that M. Kshevetskiy has been, in this case, >> individually targeted for attack. > > me too. and I never said he had been individually been attacked. I just > said he had been attacked. Good point. It's just the error message explicitly says "you". :) >> I am reopening this bug. It has been forwarded upstream, where I have >> brought more suggestions on how to improve the user experience here. > > I'd suggest downgrade to important (at max, probably normal is better) > and maybe also to tag it as "unreproducible" (as its not reliable > reproducible…) so that the package doesnt get kicked out of testing… That's fine with me! A. -- I'm no longer accepting the things I cannot change. I'm changing the things I cannot accept. - Angela Davis
Bug#845989: [Pkg-privacy-maintainers] Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)
On Sun, Nov 27, 2016 at 10:39:16AM -0500, Antoine Beaupré wrote: > > … you've been attacked. > I beg to disagree. I doubt that M. Kshevetskiy has been, in this case, > individually targeted for attack. me too. and I never said he had been individually been attacked. I just said he had been attacked. > I am reopening this bug. It has been forwarded upstream, where I have > brought more suggestions on how to improve the user experience here. I'd suggest downgrade to important (at max, probably normal is better) and maybe also to tag it as "unreproducible" (as its not reliable reproducible…) so that the package doesnt get kicked out of testing… -- cheers, Holger signature.asc Description: Digital signature
Bug#845989: [Pkg-privacy-maintainers] Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)
Control: reopen 845989 Control: forwarded 845989 https://github.com/micahflee/torbrowser-launcher/issues/254 On 2016-11-27 09:54:06, Holger Levsen wrote: > thanks for your bug report, but I fear… > > On Sun, Nov 27, 2016 at 05:30:21PM +0300, Mikhail Kshevetskiy wrote: >> Trying to start torbrowser for the first time produce the following message >> The SSL certificate served by https://www.torproject.org is invalid! >> You may be under attack. > > … you've been attacked. I beg to disagree. I doubt that M. Kshevetskiy has been, in this case, individually targeted for attack. That is not how tor works: if he was able to build a circuit (which seems to be the case here), then the exit node is not supposed to know who he is, unless the tor network is compromised in a novel way, or some very powerful actor is running a correlation attack. I think it is more likely that it is a transient error that is due to a compromised exit node. > https://jenkins.debian.net/view/torbrowser/job/torbrowser-launcher_test_on_unstable_amd64/429/console > was just run successfully, showing no signs of an invalid certificate. > > https://jenkins.debian.net/view/torbrowser/job/torbrowser-launcher_test_on_unstable_amd64/429 > has screenshots and a video too. > > That test was done 10min ago. Just because the tests passed on CI don't mean everything is fine. I have experienced this bug as well, and it is a transient error: restarting the tor browser fixed the issue for me. > Closing as not a bug. I am reopening this bug. It has been forwarded upstream, where I have brought more suggestions on how to improve the user experience here. A. -- Be who you are and say what you feel Because those who mind don't matter And those who matter don't mind. - Dr. Seuss
