X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 6647CDC00B4 for ; Sun, 20 Dec 2015 19:55:38 +0000 (UTC) Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id F21ABDC0084 for ; Sun, 20 Dec 2015 19:55:37 +0000 (UTC) Received: by mail-wm0-f67.google.com with SMTP id l126so9794807wml.1 for ; Sun, 20 Dec 2015 11:55:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mail-followup-to:mime-version :content-type:content-disposition:user-agent; bh=k0szFqmjtkzDF4mgsWDYjZ/mjOGVhMWWZzuVMyxC5dg=; b=vWEYGNMUwXBTwnmJeXEhCIBcoTrWVxH3iX12xPQnpyOBu20IsaHUhCtfcFjmrmmn2V csbphW+UYSBxd+imBczJqbUU8ZZCwBJKYphHvDFxEOcrDI199fnD/QdRqcpsnhnteOuz MN/4zu9kgxaps6NAev3FjNdIgH2gov52r0D0G4rrOmt/43k+yNo0s8vTOH+/Q+i9PRAc uhT8x5IH3M1nFvdTjcvOKElxEVIhR0YdXa3SlI1OiW0jWGQqsK3l3ka/vl+ts7AIg69s xobJIYo9RhKwDE/TlgBwDX+uugVgdKy3TnScGHfBYhKQ8f2+w+STkF/tWnIZyHns0thj nOow== X-Received: by 10.194.187.179 with SMTP id ft19mr16636756wjc.176.1450641336057; Sun, 20 Dec 2015 11:55:36 -0800 (PST) Received: from eucalyptus (147.194.broadband10.iol.cz. [90.177.194.147]) by smtp.gmail.com with ESMTPSA id b82sm16782406wmf.9.2015.12.20.11.55.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Dec 2015 11:55:35 -0800 (PST) Date: Sun, 20 Dec 2015 20:55:30 +0100 From: Jiri Horner To: alpine-devel@lists.alpinelinux.org Subject: [alpine-devel] pkgs.alpinelinux.org broken tls setup Message-ID: <20151220195530.GF14943@eucalyptus> Mail-Followup-To: alpine-devel@lists.alpinelinux.org X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Virus-Scanned: ClamAV using ClamSMTP Hi all, it looks to me that certificate chain exposed by pkg.alpinelinux.org is wrong. ~$ apk version ca-certificates Installed: Available: ca-certificates-20150426-r3 = 20150426-r3 ~$ gnutls-cli pkgs.alpinelinux.org Processed 180 CA certificate(s). Resolving 'pkgs.alpinelinux.org'... Connecting to '88.159.20.183:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=NL,CN=pkgs.alpinelinux.org,EMAIL=webmaster@alpinelinux.org', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA', <-- here RSA key 2048 bits, signed using RSA-SHA256, activated `2015-08-20 22:25:04 UTC', expires `2016-08-20 12:24:08 UTC', SHA-1 fingerprint (...) - Certificate[1] info: - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1 (...) - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. It offers 'StartCom Certification Authority' certificate as Certificate[1]. But it should be 'StartCom Class 1 Primary Intermediate Server CA' which is issuer of Certificate[0]. Probably somebody placed there a CA root cert instead of intermediate CA? Same story with openssl ~$ openssl s_client -connect pkgs.alpinelinux.org:443 depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = webmaster@alpinelinux.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = webmaster@alpinelinux.org verify error:num=21:unable to verify the first certificate verify return:1 Cheers, Jiri --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---