Re: new certificate for svn.freebsd.org?
On Sat, Jun 18, 2016 at 12:55 PM, Wolfgang Zenkerwrote: > * Matthew Seaman [160618 11:21]: >> On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote: >>> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. >>> The new certificate is in place on the 4 mirrors that I found (US East, >>> US West, UK, Russia) but didn't verify cleanly and wasn't in the >>> documentation. > >>> For me, the fix was in Dimitry's mail, a step I probably missed when >>> installing security/ca_root_nss: > >>> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem > >> There's an option in the ca_root_nss port to create the symlink, which >> is enabled by default. That option only exists because the ports are >> not supposed to touch anything outside /usr/local -- except that for >> this port, not creating the symlink for /etc/ssl/cert.pm pretty much >> renders the whole port pointless. > >> Even so, the option used to be off by default: the change to 'on by >> default' was made almost exactly a year ago, and there have been several >> changes to the list of certs since, so not having the symlink in place >> indicates either that you haven't updated your ports recently, or that >> you've specifically chosen not to enable the symlink. In which case you >> wouldn't have been able to validate the previous cert either. > > I first installed the port a couple of years ago and updated regularly, > but of course the options value of not installing the symlink, which > I then accepted as default, had been saved and was automatically used > in every update since. I could not validate the previous cert either, > but could check the hash against the published version. > > Now using "make rmconfig" and reinstalling the port fixed it for me. > > Maybe we should consider bringing the config dialog up again in > ports where default values are changed? > > Wolfgang That would probably require some reworking of the saved options. Now there is no information saved if an option is at its default setting or differs from the default. Without that information evaluating all options to detect changed defaults for a large set of ports would be very slow. -Kimmo ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
re: new certificate for svn.freebsd.org?
* Matthew Seaman [160618 11:21]: > Even so, the option used to be off by default: the change to 'on by > default' was made almost exactly a year ago, and there have been > several changes to the list of certs since, so not having the symlink > in place indicates either that you haven't updated your ports > recently, or that you've specifically chosen not to enable the > symlink. In which case you wouldn't have been able to validate the > previous cert either. > > There really is no excuse for not updating the ca_root_nss port > immediately there are updates available. Otherwise you can end up > trusting certificates that have since been shown to be less than > trustworthy. > > That you couldn't verify the cert is not a bug in FreeBSD, but a > configuration problem in your own system. Not having the right > fingerprint in the docs certainly is a bug which I'm sure will be > addressed soon. Thanks for the warnings, Matthew. In my case, the symlink was in place in all the relevant jails, just not on the underlying system, which pre-dated the config change and communicated only with svn.freebsd.org to update the src and ports trees daily. That key had been manually verified long ago. I moved the bug report to documentation as soon as I realized that my lack of a symlink was at fault. Hope this helps, Ben ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: new certificate for svn.freebsd.org?
* Matthew Seaman[160618 11:21]: > On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote: >> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. >> The new certificate is in place on the 4 mirrors that I found (US East, >> US West, UK, Russia) but didn't verify cleanly and wasn't in the >> documentation. >> For me, the fix was in Dimitry's mail, a step I probably missed when >> installing security/ca_root_nss: >> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem > There's an option in the ca_root_nss port to create the symlink, which > is enabled by default. That option only exists because the ports are > not supposed to touch anything outside /usr/local -- except that for > this port, not creating the symlink for /etc/ssl/cert.pm pretty much > renders the whole port pointless. > Even so, the option used to be off by default: the change to 'on by > default' was made almost exactly a year ago, and there have been several > changes to the list of certs since, so not having the symlink in place > indicates either that you haven't updated your ports recently, or that > you've specifically chosen not to enable the symlink. In which case you > wouldn't have been able to validate the previous cert either. I first installed the port a couple of years ago and updated regularly, but of course the options value of not installing the symlink, which I then accepted as default, had been saved and was automatically used in every update since. I could not validate the previous cert either, but could check the hash against the published version. Now using "make rmconfig" and reinstalling the port fixed it for me. Maybe we should consider bringing the config dialog up again in ports where default values are changed? Wolfgang ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: new certificate for svn.freebsd.org?
On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote: > It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. > The new certificate is in place on the 4 mirrors that I found (US East, > US West, UK, Russia) but didn't verify cleanly and wasn't in the > documentation. > > For me, the fix was in Dimitry's mail, a step I probably missed when > installing security/ca_root_nss: > > sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem There's an option in the ca_root_nss port to create the symlink, which is enabled by default. That option only exists because the ports are not supposed to touch anything outside /usr/local -- except that for this port, not creating the symlink for /etc/ssl/cert.pm pretty much renders the whole port pointless. Even so, the option used to be off by default: the change to 'on by default' was made almost exactly a year ago, and there have been several changes to the list of certs since, so not having the symlink in place indicates either that you haven't updated your ports recently, or that you've specifically chosen not to enable the symlink. In which case you wouldn't have been able to validate the previous cert either. There really is no excuse for not updating the ca_root_nss port immediately there are updates available. Otherwise you can end up trusting certificates that have since been shown to be less than trustworthy. That you couldn't verify the cert is not a bug in FreeBSD, but a configuration problem in your own system. Not having the right fingerprint in the docs certainly is a bug which I'm sure will be addressed soon. Cheers, Matthew signature.asc Description: OpenPGP digital signature
Re: new certificate for svn.freebsd.org?
On Sat, Jun 18, 2016 at 7:40 AM, Ben Steel via freebsd-stablewrote: > It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. > The new certificate is in place on the 4 mirrors that I found (US East, US > West, UK, Russia) but didn't verify cleanly and wasn't in the documentation. > > For me, the fix was in Dimitry's mail, a step I probably missed when > installing security/ca_root_nss: > > sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem > > Hope this helps, > > Ben > You might have saved options for security/ca_root_nss which tell the port not to install the symlink. The ETCSYMLINK option has been on by default for quite a long time. Delete the saved options or change them to have the port control the symlink. -Kimmo ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
re: new certificate for svn.freebsd.org?
It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. The new certificate is in place on the 4 mirrors that I found (US East, US West, UK, Russia) but didn't verify cleanly and wasn't in the documentation. For me, the fix was in Dimitry's mail, a step I probably missed when installing security/ca_root_nss: sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem Hope this helps, Ben ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: new certificate for svn.freebsd.org?
On 17 Jun 2016, at 01:21, Wolfgang Zenker <wolfg...@lyxys.ka.sub.org> wrote: > > I'm getting presented a new SSL certificate for svn.freebsd.org. > Like the previous one, it can not be verified by svnlite on any > of my 10-STABLE machines, though ca_root_nss is installed. But > the previous certificate at least matched the fingerprint given > on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html > > Trying to update: > # svnlite up /usr/src > Updating '/usr/src': > Error validating server certificate for 'https://svn.freebsd.org:443': > - The certificate is not issued by a trusted authority. Use the > fingerprint to validate the certificate manually! > Certificate information: > - Hostname: svn.freebsd.org > - Valid: from Jun 15 00:00:00 2016 GMT until Jun 29 23:59:59 2017 GMT > - Issuer: Gandi Standard SSL CA 2, Gandi, Paris, Paris, FR > - Fingerprint: 86:5C:C5:84:F5:2D:40:FA:C6:F9:F0:D9:F5:40:D0:D5:6B:90:CB:CE The fingerprint looks good. > (R)eject, accept (t)emporarily or accept (p)ermanently? > > Is it just me? No, probably everybody who doesn't have ca_root_nss installed. Make sure you have that package installed, and a symlink /etc/ssl/cert.pem pointing to /usr/local/share/certs/ca-root-nss.crt. Alternatively, manually append the following certificate (CN=AddTrust External CA Root) to /etc/ssl/cert.pem: -BEGIN CERTIFICATE- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -END CERTIFICATE- -Dimitry signature.asc Description: Message signed with OpenPGP using GPGMail
Re: new certificate for svn.freebsd.org?
On 17/06/2016 00:21, Wolfgang Zenker wrote: > I'm getting presented a new SSL certificate for svn.freebsd.org. > Like the previous one, it can not be verified by svnlite on any > of my 10-STABLE machines, though ca_root_nss is installed. But > the previous certificate at least matched the fingerprint given > on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html The certificate was renewed yesterday -- a routine renewal as the cert was due to expire within a week. Looks like the documentation is (as ever) lagging behind. Not sure why you can't validate the Gandi cert -- presumably this is due to missing an intermediate certificate from Gandi which isn't in the ca_root_nss collection. In those cases, the server should provide the intermediate certificates as well as the site certificate, which it does. (You can use 'openssl s_client' to test, amongst other methods.) This points towards an error in certificate validation in the svnlite code. Cheers, Matthew signature.asc Description: OpenPGP digital signature
new certificate for svn.freebsd.org?
Hi, I'm getting presented a new SSL certificate for svn.freebsd.org. Like the previous one, it can not be verified by svnlite on any of my 10-STABLE machines, though ca_root_nss is installed. But the previous certificate at least matched the fingerprint given on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html Trying to update: # svnlite up /usr/src Updating '/usr/src': Error validating server certificate for 'https://svn.freebsd.org:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: svn.freebsd.org - Valid: from Jun 15 00:00:00 2016 GMT until Jun 29 23:59:59 2017 GMT - Issuer: Gandi Standard SSL CA 2, Gandi, Paris, Paris, FR - Fingerprint: 86:5C:C5:84:F5:2D:40:FA:C6:F9:F0:D9:F5:40:D0:D5:6B:90:CB:CE (R)eject, accept (t)emporarily or accept (p)ermanently? Is it just me? Wolfgang ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"