Mail archive
alpine-devel

[alpine-devel] pkgs.alpinelinux.org broken tls setup

From: Jiri Horner <laeqten_at_gmail.com>
Date: Sun, 20 Dec 2015 20:55:30 +0100

Hi all,

it looks to me that certificate chain exposed by pkg.alpinelinux.org is wrong.

~$ apk version ca-certificates
Installed: Available:
ca-certificates-20150426-r3 = 20150426-r3
~$ gnutls-cli pkgs.alpinelinux.org
Processed 180 CA certificate(s).
Resolving 'pkgs.alpinelinux.org'...
Connecting to '88.159.20.183:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=NL,CN=pkgs.alpinelinux.org,EMAIL=webmaster_at_alpinelinux.org',
 issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
 CN=StartCom Class 1 Primary Intermediate Server CA', <-- here
 RSA key 2048 bits, signed using RSA-SHA256, activated
 `2015-08-20 22:25:04 UTC', expires `2016-08-20 12:24:08 UTC', SHA-1 fingerprint
 (...)
- Certificate[1] info:
 - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority',
 issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
 CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1
(...)
 - Status: The certificate is NOT trusted. The certificate issuer is unknown.
 *** PKI verification of server certificate failed...
 *** Fatal error: Error in the certificate.

It offers 'StartCom Certification Authority' certificate as Certificate[1]. But
it should be 'StartCom Class 1 Primary Intermediate Server CA' which is issuer
of Certificate[0].

Probably somebody placed there a CA root cert instead of intermediate CA?

Same story with openssl

~$ openssl s_client -connect pkgs.alpinelinux.org:443
depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = webmaster_at_alpinelinux.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = webmaster_at_alpinelinux.org
verify error:num=21:unable to verify the first certificate
verify return:1

Cheers,
Jiri


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Sun Dec 20 2015 - 20:55:30 UTC