Re: [Wireshark-dev] gerrit.wireshark.org certificate trouble?

2018-04-07 Thread Guy Harris 
On Apr 7, 2018, at 1:18 PM, Harald Welte  wrote:

> Unless there's something odd (MITM) happening on the internet between 
> wireshark.org
> and myself, or Chromium is somehow b0rked, I would expect the gerrit web 
> interface
> to be unusable for everyone at the moment.

To quote Safari on my Mac:

This Connection Is Not Private

This website may be impersonating "gerrit.wireshark.org" to steal your 
personal or financial
information.  You should close this page.

and, when I ask it to show me the certificate, it says:

staging.wireshark.org
Issued by: Let's Encrypt Authority X3
Expires: Saturday, June 9, 2018 at 9:20:22 PM Pacific Daylight
Time

(x) This certificate is not valid (host name mismatch)

Is the mismatch between "gerrit.wireshark.org" and "staging.wireshark.org"?

On the other hand, what is gerrit.wireshark.org used for?  Code reviews are on 
https://code.wireshark.org/review.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] gerrit.wireshark.org certificate trouble?

2018-04-07 Thread Harald Welte 
Hi all,

when accessing https://gerrit.wireshark.org/ with Chromium 65.0.3325.146, I
get the following error message:

> Your connection is not private
> Attackers might be trying to steal your information from gerrit.wireshark.org 
> (for example, passwords, messages, or credit cards). Learn more
>
> NET::ERR_CERT_COMMON_NAME_INVALID
>
> gerrit.wireshark.org normally uses encryption to protect your information. 
> When Chromium tried to connect to gerrit.wireshark.org this time, the website 
> sent back unusual and incorrect credentials. This may happen when an attacker 
> is trying to pretend to be gerrit.wireshark.org, or a Wi-Fi sign-in screen 
> has interrupted the connection. Your information is still secure because 
> Chromium stopped the connection before any data was exchanged.
>
> You cannot visit gerrit.wireshark.org right now because the website uses 
> HSTS. Network errors and attacks are usually temporary, so this page will 
> probably work later.

The Certificate I'm receiving is issued to CN=staging.wireshark.org and it has 
no
SubjectAltNames besides staging.wireshark.org.  It's SHA256 fingerprint is

F0 63 E6 64 FD A6 67 41 40 8C 02 2F FD 43 91 E2
C8 44 87 3D AC 87 8A E4 13 32 EA 8C EB 0D 69 DD

Unless there's something odd (MITM) happening on the internet between 
wireshark.org
and myself, or Chromium is somehow b0rked, I would expect the gerrit web 
interface
to be unusable for everyone at the moment.

Can somebody confirm and/or report to the respective sysadmin?

Thanks!

Regards,
Harald

-- 
- Harald Welte    http://laforge.gnumonks.org/

"Privacy in residential applications is a desirable marketing option."
  (ETSI EN 300 175-7 Ch. A6)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe