Re: new certificate for svn.freebsd.org?

[Kimmo Paasiala]

On Sat, Jun 18, 2016 at 12:55 PM, Wolfgang Zenker
 wrote:
> * Matthew Seaman  [160618 11:21]:
>> On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote:
>>> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org.
>>> The new certificate is in place on the 4 mirrors that I found (US East,
>>> US West, UK, Russia) but didn't verify cleanly and wasn't in the
>>> documentation.
>
>>> For me, the fix was in Dimitry's mail, a step I probably missed when
>>> installing security/ca_root_nss:
>
>>> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
>
>> There's an option in the ca_root_nss port to create the symlink, which
>> is enabled by default.  That option only exists because the ports are
>> not supposed to touch anything outside /usr/local -- except that for
>> this port, not creating the symlink for /etc/ssl/cert.pm pretty much
>> renders the whole port pointless.
>
>> Even so, the option used to be off by default: the change to 'on by
>> default' was made almost exactly a year ago, and there have been several
>> changes to the list of certs since, so not having the symlink in place
>> indicates either that you haven't updated your ports recently, or that
>> you've specifically chosen not to enable the symlink.  In which case you
>> wouldn't have been able to validate the previous cert either.
>
> I first installed the port a couple of years ago and updated regularly,
> but of course the options value of not installing the symlink, which
> I then accepted as default, had been saved and was automatically used
> in every update since. I could not validate the previous cert either,
> but could check the hash against the published version.
>
> Now using "make rmconfig" and reinstalling the port fixed it for me.
>
> Maybe we should consider bringing the config dialog up again in
> ports where default values are changed?
>
> Wolfgang

That would probably require some reworking of the saved options. Now
there is no information saved if an option is at its default setting
or differs from the default. Without that information evaluating all
options to detect changed defaults for a large set of ports would be
very slow.

-Kimmo
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

re: new certificate for svn.freebsd.org?

[Ben Steel via freebsd-stable]

* Matthew Seaman  [160618 11:21]:
> Even so, the option used to be off by default: the change to 'on by
> default' was made almost exactly a year ago, and there have been
> several changes to the list of certs since, so not having the symlink
> in place indicates either that you haven't updated your ports
> recently, or that you've specifically chosen not to enable the
> symlink.  In which case you wouldn't have been able to validate the
> previous cert either.
>
> There really is no excuse for not updating the ca_root_nss port
> immediately there are updates available.  Otherwise you can end up
> trusting certificates that have since been shown to be less than
> trustworthy.
>
> That you couldn't verify the cert is not a bug in FreeBSD, but a
> configuration problem in your own system.  Not having the right
> fingerprint in the docs certainly is a bug which I'm sure will be
> addressed soon.

Thanks for the warnings, Matthew. In my case, the symlink was in place 
in all the relevant jails, just not on the underlying system, which 
pre-dated the config change and communicated only with svn.freebsd.org 
to update the src and ports trees daily. That key had been manually 
verified long ago. I moved the bug report to documentation as soon as I 
realized that my lack of a symlink was at fault.


Hope this helps,
Ben
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: new certificate for svn.freebsd.org?

[Wolfgang Zenker]

* Matthew Seaman  [160618 11:21]:
> On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote:
>> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org.
>> The new certificate is in place on the 4 mirrors that I found (US East,
>> US West, UK, Russia) but didn't verify cleanly and wasn't in the
>> documentation.

>> For me, the fix was in Dimitry's mail, a step I probably missed when
>> installing security/ca_root_nss:

>> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

> There's an option in the ca_root_nss port to create the symlink, which
> is enabled by default.  That option only exists because the ports are
> not supposed to touch anything outside /usr/local -- except that for
> this port, not creating the symlink for /etc/ssl/cert.pm pretty much
> renders the whole port pointless.

> Even so, the option used to be off by default: the change to 'on by
> default' was made almost exactly a year ago, and there have been several
> changes to the list of certs since, so not having the symlink in place
> indicates either that you haven't updated your ports recently, or that
> you've specifically chosen not to enable the symlink.  In which case you
> wouldn't have been able to validate the previous cert either.

I first installed the port a couple of years ago and updated regularly,
but of course the options value of not installing the symlink, which
I then accepted as default, had been saved and was automatically used
in every update since. I could not validate the previous cert either,
but could check the hash against the published version.

Now using "make rmconfig" and reinstalling the port fixed it for me.

Maybe we should consider bringing the config dialog up again in
ports where default values are changed?

Wolfgang
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: new certificate for svn.freebsd.org?

[Matthew Seaman]

On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote:
> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org.
> The new certificate is in place on the 4 mirrors that I found (US East,
> US West, UK, Russia) but didn't verify cleanly and wasn't in the
> documentation.
> 
> For me, the fix was in Dimitry's mail, a step I probably missed when
> installing security/ca_root_nss:
> 
> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

There's an option in the ca_root_nss port to create the symlink, which
is enabled by default.  That option only exists because the ports are
not supposed to touch anything outside /usr/local -- except that for
this port, not creating the symlink for /etc/ssl/cert.pm pretty much
renders the whole port pointless.

Even so, the option used to be off by default: the change to 'on by
default' was made almost exactly a year ago, and there have been several
changes to the list of certs since, so not having the symlink in place
indicates either that you haven't updated your ports recently, or that
you've specifically chosen not to enable the symlink.  In which case you
wouldn't have been able to validate the previous cert either.

There really is no excuse for not updating the ca_root_nss port
immediately there are updates available.  Otherwise you can end up
trusting certificates that have since been shown to be less than
trustworthy.

That you couldn't verify the cert is not a bug in FreeBSD, but a
configuration problem in your own system.  Not having the right
fingerprint in the docs certainly is a bug which I'm sure will be
addressed soon.

Cheers,

Matthew






signature.asc
Description: OpenPGP digital signature

Re: new certificate for svn.freebsd.org?

[Kimmo Paasiala]

On Sat, Jun 18, 2016 at 7:40 AM, Ben Steel via freebsd-stable
 wrote:
> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org.
> The new certificate is in place on the 4 mirrors that I found (US East, US
> West, UK, Russia) but didn't verify cleanly and wasn't in the documentation.
>
> For me, the fix was in Dimitry's mail, a step I probably missed when
> installing security/ca_root_nss:
>
> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
>
> Hope this helps,
>
> Ben
>

You might have saved options for security/ca_root_nss which tell the
port not to install the symlink. The ETCSYMLINK option has been on by
default for quite a long time. Delete the saved options or change them
to have the port control the symlink.

-Kimmo
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

re: new certificate for svn.freebsd.org?

[Ben Steel via freebsd-stable]

It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org.
The new certificate is in place on the 4 mirrors that I found (US East, 
US West, UK, Russia) but didn't verify cleanly and wasn't in the 
documentation.


For me, the fix was in Dimitry's mail, a step I probably missed when 
installing security/ca_root_nss:


sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

Hope this helps,

Ben
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: new certificate for svn.freebsd.org?

[Dimitry Andric]

On 17 Jun 2016, at 01:21, Wolfgang Zenker <wolfg...@lyxys.ka.sub.org> wrote:
> 
> I'm getting presented a new SSL certificate for svn.freebsd.org.
> Like the previous one, it can not be verified by svnlite on any
> of my 10-STABLE machines, though ca_root_nss is installed. But
> the previous certificate at least matched the fingerprint given
> on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html
> 
> Trying to update:
> # svnlite up /usr/src
> Updating '/usr/src':
> Error validating server certificate for 'https://svn.freebsd.org:443':
> - The certificate is not issued by a trusted authority. Use the
>   fingerprint to validate the certificate manually!
> Certificate information:
> - Hostname: svn.freebsd.org
> - Valid: from Jun 15 00:00:00 2016 GMT until Jun 29 23:59:59 2017 GMT
> - Issuer: Gandi Standard SSL CA 2, Gandi, Paris, Paris, FR
> - Fingerprint: 86:5C:C5:84:F5:2D:40:FA:C6:F9:F0:D9:F5:40:D0:D5:6B:90:CB:CE

The fingerprint looks good.


> (R)eject, accept (t)emporarily or accept (p)ermanently?
> 
> Is it just me?

No, probably everybody who doesn't have ca_root_nss installed. Make sure
you have that package installed, and a symlink /etc/ssl/cert.pem
pointing to /usr/local/share/certs/ca-root-nss.crt.

Alternatively, manually append the following certificate (CN=AddTrust
External CA Root) to /etc/ssl/cert.pem:

-BEGIN CERTIFICATE-
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-END CERTIFICATE-

-Dimitry



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: new certificate for svn.freebsd.org?

[Matthew Seaman]

On 17/06/2016 00:21, Wolfgang Zenker wrote:
> I'm getting presented a new SSL certificate for svn.freebsd.org.
> Like the previous one, it can not be verified by svnlite on any
> of my 10-STABLE machines, though ca_root_nss is installed. But
> the previous certificate at least matched the fingerprint given
> on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html

The certificate was renewed yesterday -- a routine renewal as the cert
was due to expire within a week.  Looks like the documentation is (as
ever) lagging behind.

Not sure why you can't validate the Gandi cert -- presumably this is due
to missing an intermediate certificate from Gandi which isn't in the
ca_root_nss collection.  In those cases, the server should provide the
intermediate certificates as well as the site certificate, which it
does. (You can use 'openssl s_client' to test, amongst other methods.)

This points towards an error in certificate validation in the svnlite code.

Cheers,

Matthew




signature.asc
Description: OpenPGP digital signature

new certificate for svn.freebsd.org?

[Wolfgang Zenker]

Hi,

I'm getting presented a new SSL certificate for svn.freebsd.org.
Like the previous one, it can not be verified by svnlite on any
of my 10-STABLE machines, though ca_root_nss is installed. But
the previous certificate at least matched the fingerprint given
on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html

Trying to update:
# svnlite up /usr/src
Updating '/usr/src':
Error validating server certificate for 'https://svn.freebsd.org:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: svn.freebsd.org
 - Valid: from Jun 15 00:00:00 2016 GMT until Jun 29 23:59:59 2017 GMT
 - Issuer: Gandi Standard SSL CA 2, Gandi, Paris, Paris, FR
 - Fingerprint: 86:5C:C5:84:F5:2D:40:FA:C6:F9:F0:D9:F5:40:D0:D5:6B:90:CB:CE
(R)eject, accept (t)emporarily or accept (p)ermanently?

Is it just me?

Wolfgang
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"