On 2021-10-02 10:37, Brian Inglis wrote:
On 2021-10-02 09:48, Jon Turney wrote:
On 02/10/2021 14:56, Achim Gratz wrote:
This package by Yaakov is getting long in the tooth and one of my Perl
distributions is using it. Here's the change to pull it up to the
latest iteration from Fedora and make it compatible with the CI:
https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/ca-certificates.git;a=commitdiff;h=33c21d5cd
+# actually get the Fedora sources
+# the output from git must not be seen by cygport…
+git submodule update > /dev/null
I think it's a scallywag bug that it doesn't currently checkout
packaging repository submodules, so let me try to fix that.
Very timely gentlemen, as it could eliminate or help mitigate the below:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
OpenSSL 1.0.2 packages are now hitting this - see attached log.
Oh-oh!
Seems a bit more widespread than that.
Please see attached log for dumps from all the below:
$ cygcheck wget wget2 curl | egrep \
'^\s*C:/.*/bin/.*(crypto|exe|gpg|krb|ss[hl]|tls)'
C:/.../bin/wget.exe
C:/.../bin/cyggnutls-30.dll
C:/.../bin/cyggpgme-11.dll
C:/.../bin/cyggpg-error-0.dll
C:/.../bin/wget2.exe
C:/.../bin/cyggnutls-30.dll
C:/.../bin/cyggpgme-11.dll
C:/.../bin/cyggpg-error-0.dll
C:/.../bin/curl.exe
C:/.../bin/cygcrypto-1.1.dll
C:/.../bin/cyggpg-error-0.dll
C:/.../bin/cyggssapi_krb5-2.dll
C:/.../bin/cygk5crypto-3.dll
C:/.../bin/cygkrb5support-0.dll
C:/.../bin/cygkrb5-3.dll
C:/.../bin/cygssl-1.1.dll
C:/.../bin/cygssh2-1.dll
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
$ wget -dv https://invisible-mirror.net/archives/
Setting --verbose (verbose) to 1
DEBUG output created by Wget 1.21.1 on cygwin.
Reading HSTS entries from $HOME/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2021-10-02 13:18:02-- https://invisible-mirror.net/archives/
Certificates loaded: 167
Resolving invisible-mirror.net (invisible-mirror.net)... 160.153.42.69
Caching invisible-mirror.net => 160.153.42.69
Connecting to invisible-mirror.net (invisible-mirror.net)|160.153.42.69|:443...
connected.
Created socket 3.
Releasing 0x00000008001febb0 (new refcount 1).
ERROR: The certificate of ‘invisible-mirror.net’ is not trusted.
ERROR: The certificate of ‘invisible-mirror.net’ has expired.
$
$ curl -Iv --trace-ascii - https://invisible-mirror.net/archives/
Warning: --trace-ascii overrides an earlier trace/verbose option
== Info: STATE: INIT => CONNECT handle 0x8000bf178; line 1789 (connection
#-5000)
== Info: Added connection 0. The cache now contains 1 members
== Info: STATE: CONNECT => RESOLVING handle 0x8000bf178; line 1835 (connection
#0)
== Info: family0 == v4, family1 == v6
== Info: Trying 160.153.42.69:443...
== Info: STATE: RESOLVING => CONNECTING handle 0x8000bf178; line 1917
(connection #0)
== Info: Connected to invisible-mirror.net (160.153.42.69) port 443 (#0)
== Info: STATE: CONNECTING => PROTOCONNECT handle 0x8000bf178; line 1980
(connection #0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
== Info: successfully set certificate verify locations:
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
== Info: CApath: none
== Info: Didn't find Session ID in cache for host
HTTPS://invisible-mirror.net:443
=> Send SSL data, 5 bytes (0x5)
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
== Info: STATE: PROTOCONNECT => PROTOCONNECTING handle 0x8000bf178; line 2000
(connection #0)
<= Recv SSL data, 5 bytes (0x5)
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 106 bytes (0x6a)
<= Recv SSL data, 5 bytes (0x5)
== Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 2472 bytes (0x9a8)
=> Send SSL data, 5 bytes (0x5)
== Info: TLSv1.2 (OUT), TLS alert, certificate expired (557):
=> Send SSL data, 2 bytes (0x2)
== Info: SSL certificate problem: certificate has expired
== Info: multi_done
== Info: The cache now contains 0 members
== Info: Closing connection 0
== Info: Expire cleared (transfer 0x8000bf178)
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$
$ wget2 -dv https://invisible-mirror.net/archives/
02.131808.926 Local URI encoding = 'UTF-8'
02.131808.927 Input URI encoding = 'UTF-8'
02.131808.947 Fetched HSTS data from '$HOME/.local/share/wget/.wget-hsts'
02.131808.950 Fetched HPKP data from '$HOME/.local/share/wget/.wget-hpkp'
02.131808.953 Fetched OCSP hosts from '$HOME/.local/share/wget/.wget-ocsp_hosts'
02.131808.956 Fetched OCSP fingerprints from
'$HOME/.local/share/wget/.wget-ocsp'
02.131808.956 set_exit_status(0)
02.131808.956 *url =
02.131808.956 *3 https://invisible-mirror.net/archives/
02.131808.956 local filename = 'index.html'
02.131808.956 host_add_job: job fname index.html
02.131808.956 host_add_job: 0x8000a0720 https://invisible-mirror.net/archives/
02.131808.956 host_add_job: qsize 1 host-qsize=1
02.131808.956 queue_size: qsize=1
02.131808.956 queue_size: qsize=1
02.131808.957 queue_size: qsize=1
02.131808.957 [0] action=1 pending=0 host=0x0
02.131808.957 dequeue job https://invisible-mirror.net/archives/
02.131808.957 resolving invisible-mirror.net:443...
02.131808.991 has 160.153.42.69:443
02.131808.991 trying 160.153.42.69:443...
02.131808.992 GnuTLS init
02.131809.130 GnuTLS system certificate store is empty
02.131809.130 Certificates loaded: 167
02.131809.131 GnuTLS init done
02.131809.131 TLS False Start requested
02.131809.131 ALPN offering h2
02.131809.131 ALPN offering http/1.1
ERROR: The certificate is NOT trusted. The certificate chain uses expired
certificate.
02.131809.442 gnutls_handshake: (-43) Error in the certificate. (errno=11)
02.131809.442 ALPN: Server accepted protocol 'h2'
----
Certificate info [0]:
Valid since: 2021 Aug 01 Sun 11:19:48
Expires: 2021 Oct 30 Sat 11:19:46
Fingerprint: 5f45fb6a2fb7799fd180c574e6756eb6
Serial number: 5f45fb6a2fb7799fd180c574e6756eb6
Public key: RSA, Medium (2048 bits)
Version: #3
DN: CN=invisible-mirror.net
Issuer's DN: C=US,O=Let's Encrypt,CN=R3
Issuer's OID: 2.5.4.6
Issuer's UID: 2.5.4.6
Certificate info [1]:
Valid since: 2020 Oct 07 Wed 13:21:40
Expires: 2021 Sep 29 Wed 13:21:40
Fingerprint: 312128f5a0ed7ba54b6582928756ba83
Serial number: 312128f5a0ed7ba54b6582928756ba83
Public key: RSA, Medium (2048 bits)
Version: #3
DN: C=US,O=Let's Encrypt,CN=R3
Issuer's DN: O=Digital Signature Trust Co.,CN=DST Root CA X3
Issuer's OID: 2.5.4.10
Issuer's UID: 2.5.4.10
----
Ephemeral ECDH using curve (null)
Key Exchange: ECDHE-RSA
Protocol: TLS1.2
Certificate Type: X.509
Cipher: NULL
MAC: MAC-NULL
----
02.131809.443 closing connection
Failed to connect: Certificate error
02.131809.443 host_final_failure: qsize=0
02.131809.443 set_exit_status(5)
02.131809.443 host_increase_failure: invisible-mirror.net failures=1
02.131809.443 [0] action=3 pending=1 host=0x8000a06a0
02.131809.443 released job https://invisible-mirror.net/archives/
02.131809.443 [0] action=1 pending=0 host=0x0
02.131809.443 host invisible-mirror.net is blocked (qsize=1)
02.131809.443 main: wake up
02.131809.443 main: done
02.131809.450 Successfully updated '$HOME/.local/share/wget/.wget-ocsp_hosts'.
02.131809.451 Saved OCSP hosts to '$HOME/.local/share/wget/.wget-ocsp_hosts'
02.131809.457 Successfully updated '$HOME/.local/share/wget/.wget-ocsp'.
02.131809.458 Saved OCSP fingerprints to '$HOME/.local/share/wget/.wget-ocsp'
02.131809.458 blacklist https://invisible-mirror.net/archives/
