On 2024-07-14 11:05, Brian Inglis via Cygwin-apps wrote:
On 2024-07-13 15:03, Brian Inglis wrote:
On 2024-07-13 14:43, Brian Inglis via Cygwin-apps wrote:
On 2024-06-30 05:31, ASSI wrote:
The following packages have been uploaded to the Cygwin distribution:
ca-certificates-2024.2.66_v8.0.302-1
The ca-certificates-letsencrypt package has been removed, since all
signatures using the cross-signed certificate chain for Let's Encrypt
root servers have long expired. In other words, the problem this
package was solving no longer exists.
Hi folks,
Any chance a cert may have been dropped inadvertently?
Or some other update I or others may have packaged could have messed up email.
I can no longer use cygport announce or git send-email via this mail server,
but Windows Thunderbird still works!
Have any Let's Encrypt Intermediate certs been dropped?
While Cygwin uses ISRG Root X1 -> R3 -> Cygwin.com my email provider may use
ISRG Root X1 -> R11 -> hover.com - all valid until later this year or much
longer - checking if they may use a different email cert chain or CA.
Hi folks,
Re-installed last ca-certificates-letencrypt package and cygport announce and
git send-email are working again.
Some unexpired letsencrypt certificates should probably have been migrated to
ca-certificates or left in ca-certificates-letencrypt?
Trying cygport --debug and git send-email --smtp-debug=1 do not show any cert
validation - any ideas how to see what certs are used in email auth?
Found an answer for that on
https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate/131628#131628
for example:
$ openssl s_client -connect mail.example.com:465
which using the correct servers and ports gives the certs in the attached log:
DigiCert Global Root G2 -> RapidSSL TLS RSA CA G1 -> *.hover.com
so were any DigiCert certs harmed in the making of this package? ;^>
Current DigiCert CA Root and Intermediate certs are shown in:
https://www.digicert.com/kb/digicert-root-certificates.htm
I have added some non-packaged CA certs in the past and I can try doing that
again if it is required to help?
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry$ openssl s_client -connect mail.hover.com:465
CONNECTED(00000004)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA
CA G1
verify return:1
depth=0 CN = *.hover.com
verify return:1
---
Certificate chain
0 s:CN = *.hover.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA
G1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 14 00:00:00 2024 GMT; NotAfter: Jul 13 23:59:59 2025 GMT
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA
G1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root
G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 2 12:24:33 2017 GMT; NotAfter: Nov 2 12:24:33 2027 GMT
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root
G2
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root
G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGIDCCBQigAwIBAgIQAsPHqBLbhyMzxknMGhWz5zANBgkqhkiG9w0BAQsFADBg
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR8wHQYDVQQDExZSYXBpZFNTTCBUTFMgUlNBIENBIEcx
MB4XDTI0MDcxNDAwMDAwMFoXDTI1MDcxMzIzNTk1OVowFjEUMBIGA1UEAwwLKi5o
b3Zlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMbFFzY5dq
Qo33T6P4s4cexUVhA+gMflpYyI/gA7betlbL6F7cB8JrDl/C9s4/UAvuG0smZI4a
ZrzbogtMcvjyhiV8czywWDibCwyrH7nRRidRxCPbtJcC/utRb+g2gTtnUNAFvqnv
Jcc3OPZCEo6mnx3RPHH3RpmfXM3faAHHI9VNwRSK8F9w9JDc5PtW5J7pEdxkat6y
+faiuYjqKw53a5kocj+9RQDH5X+0f6fltL1Ed3ehSo7n+qkONMn5SE+iYB2EX/Pt
VIIFB1deI7GRis9UU3Tfw9osuCxSz7RzE7I+YOMTRPHyi79ns9WthYTtzbS9Cezu
ZtMgIWWu4yrHAgMBAAGjggMeMIIDGjAfBgNVHSMEGDAWgBQM22yCSQ9KZwq4FO56
xEhSiOtWODAdBgNVHQ4EFgQUyuEEPsQ/asGApRPLTUAbr8YkstswIQYDVR0RBBow
GIILKi5ob3Zlci5jb22CCWhvdmVyLmNvbTA+BgNVHSAENzA1MDMGBmeBDAECATAp
MCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA/BgNVHR8E
ODA2MDSgMqAwhi5odHRwOi8vY2RwLnJhcGlkc3NsLmNvbS9SYXBpZFNTTFRMU1JT
QUNBRzEuY3JsMHYGCCsGAQUFBwEBBGowaDAmBggrBgEFBQcwAYYaaHR0cDovL3N0
YXR1cy5yYXBpZHNzbC5jb20wPgYIKwYBBQUHMAKGMmh0dHA6Ly9jYWNlcnRzLnJh
cGlkc3NsLmNvbS9SYXBpZFNTTFRMU1JTQUNBRzEuY3J0MAwGA1UdEwEB/wQCMAAw
ggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2ABLxTjS9U3JMhAYZw48/ehP457Vi
h4icbTAFhOvlhiY6AAABkLBAqI0AAAQDAEcwRQIhAP92rBnu2y8SKYSW4pOrS4YM
+8mrbG3xbE9M1oUbwq2rAiBJfWhIX7rg2jf5un7kzELaNAMfcVXbRG49HXsl03f2
2AB2AObSMWNAd4zBEEEG13G5zsHSQPaWhIb7uocyHf0eN45QAAABkLBAqO4AAAQD
AEcwRQIgM81EF1/VVPuuXEX1HqUlCg48C2SiD1hQ1oqM+E9cYYICIQCZYNIstjRL
29329bB5MaJYgh3S5im0sRXINCEuwd3ZHwB1AMz7D2qFcQll/pWbU87psnwi6YVc
DZeNtql+VMD+TA2wAAABkLBAqH0AAAQDAEYwRAIgYoYwHn1y70KNvvEHCSijHXHy
iKZyy0pihluxBUjHt14CIAmgx+C1vT4abtGvjyjUw3uCZbkIFhMFFtt7q1+Jlmke
MA0GCSqGSIb3DQEBCwUAA4IBAQCZGX+ib0vdW2XQge9rfKQiPzHSS8GjDXrWKNQG
Sb5aZHvdaaBtFDlHpbGf+EHg+9/0pbTGddNLxaXLHTlhBq4es1vPXfz5l7XojWEQ
XnyD7cLPCVU/D2rh2UjnhpKzF/XtRwqL7TzTXOMJDCW4qMNjsPQGMH5zUPzi2bGu
l8GOdKkOwLSgaqJOzXe9KZ8Pn0SwEVKx9mvKeNGmm/XlMjwJz74G2DApmYJNjcI8
c8sKPZZX0UWR1CFO+x5CaggwbS9+H44QlEcwvsUlTkIutl1gsKBwdk2stRbfSOmE
FbwafUaJeu0tNjwyIEahfxs3rut5MDsB6vkTzeqf3sPKk6vG
-----END CERTIFICATE-----
subject=CN = *.hover.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA
CA G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4263 bytes and written 416 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 2F063DDECF82BDB47837150A38D526EBE3E6F28D225556EA68FB9F4204DC82E3
Session-ID-ctx:
Resumption PSK:
DEBAA4572527B328756CB739AF2081065B9CB532CF5ADE2520FF7A293006FB720679829CD2BAC75AEF572C192A3968CC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - af 5b 48 ea 6a a1 fb de-42 7a 2e 6e 3b b2 8d b1 .[H.j...Bz.n;...
0010 - 24 b1 34 2b 7c 1f c7 6e-e5 e7 82 36 17 66 dd 81 $.4+|..n...6.f..
0020 - 89 1d 15 d5 98 a7 18 12-20 3f a3 6f 7e bf 6b 9e ........ ?.o~.k.
0030 - b3 2a ff 60 11 c9 80 5b-af 5b 7b 7a 09 8e 1f 89 .*.`...[.[{z....
0040 - 3c 89 dd 8f 23 b7 13 b9-7a 38 b7 92 d7 98 7d d5 <...#...z8....}.
0050 - e5 dc c7 02 26 95 5a dc-26 be 37 8c cc 9f 86 5a ....&.Z.&.7....Z
0060 - 11 a9 36 65 09 1e 73 be-cb e1 17 e0 6f 06 73 27 ..6e..s.....o.s'
0070 - 43 83 c0 85 6c 17 c3 e8-39 a7 f5 c4 29 75 ed cc C...l...9...)u..
0080 - 1e c1 dc 65 cb 7e 8e e6-5a 5a b7 3c 50 6c 09 9c ...e.~..ZZ.<Pl..
0090 - 45 8e d5 c3 17 89 09 46-b4 be f2 1e ff b8 2e f6 E......F........
00a0 - 35 4a 5f 98 8e b2 2c e6-7b 9e 04 56 1c d6 4b f4 5J_...,.{..V..K.
00b0 - 9c 7b 09 9d 17 90 8a d4-ea 20 5d ca 79 1c 2f 0b .{....... ].y./.
00c0 - 15 8d 89 c7 83 91 50 1a-ab e2 e6 24 a1 7b 68 fb ......P....$.{h.
00d0 - 39 f6 88 f8 6c 8a 1e dd-80 9f ee 37 eb 50 10 07 9...l......7.P..
Start Time: 1720977481
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 73EFC50C1A1EC6A80D33700E1EC7592A6B0C7D1D4EBA7D5EB546CD1E81CA2710
Session-ID-ctx:
Resumption PSK:
B1E63E06DBCF2B498F46F0705A1D746B1C7855C070005F3E2352580FB428811AEE27116FDD5A88D384BFAFC59FA95327
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - af 5b 48 ea 6a a1 fb de-42 7a 2e 6e 3b b2 8d b1 .[H.j...Bz.n;...
0010 - dc d7 af 10 cf 40 2d b3-f5 6c a4 d0 f5 d6 d9 e3 .....@-..l......
0020 - 49 ac 43 f9 74 b5 39 13-07 e0 c2 06 0b d9 73 35 I.C.t.9.......s5
0030 - d2 15 0a da df cb 51 ce-bf df 5c e7 dc 09 e6 1c ......Q...\.....
0040 - 72 3f ed 43 b2 fe e2 da-48 55 b7 7f ab 6e 99 5c r?.C....HU...n.\
0050 - 79 66 51 46 80 94 94 1f-b9 b9 9c 5b fe 86 f9 7f yfQF.......[....
0060 - 75 0d 94 54 49 d6 19 77-19 2e 2e d5 dc a2 96 fc u..TI..w........
0070 - bb 02 16 85 5b d3 b7 5f-e1 5b 51 7e 54 5e 06 a1 ....[.._.[Q~T^..
0080 - 8e d5 95 76 07 bc b0 9e-3a f3 58 43 2c 31 83 91 ...v....:.XC,1..
0090 - 02 ee 89 d3 69 e1 26 b5-b0 8c 73 3a ba 7e 00 15 ....i.&...s:.~..
00a0 - 9e 9c 33 c6 4c d0 4f 35-73 d3 0d f1 58 d0 ed c5 ..3.L.O5s...X...
00b0 - 0e 75 04 27 1f 27 a0 93-25 10 3f 26 a6 32 07 5e .u.'.'..%.?&.2.^
00c0 - 08 09 97 68 c9 8b 67 30-0c 00 5c 91 32 a4 c8 90 ...h..g0..\.2...
00d0 - 27 65 aa b5 bf 69 b8 1f-d2 1b ab 43 95 19 3f 1d 'e...i.....C..?.
Start Time: 1720977481
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
220 smtp.hostedemail.com ESMTP
