[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because t
From: |
Lars Magne Ingebrigtsen |
Subject: |
bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently |
Date: |
Sun, 24 Apr 2016 16:03:40 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) |
Lars Magne Ingebrigtsen <larsi@gnus.org> writes:
> Here's an easy test case:
>
> (open-network-stream
> "nntpd" (get-buffer-create "*foo*")
> "news.eternal-september.org" "nntp"
> :type 'starttls
> :end-of-command "^\\([2345]\\|[.]\\).*\n"
> :capability-command "HELP\r\n"
> :success "^3"
> :starttls-function
> (lambda (capabilities)
> (if (not (string-match "STARTTLS" capabilities))
> nil
> "STARTTLS\r\n")))
>
> First of all, I think the error message is lacking. It should say more
> about what's failing.
I've now fixed this...
> As to the bug -- gnutls by default now refuses to deal with MD5
> certificates. We could override that, and instead let the network
> security manager notify the user that the connection isn't safe.
This apparently has nothing to do with MD5? Included below is what
s_client says about the TLS connection. It's ECDSA...
Hm... but there is a self signed certificate in the chain. Uhm...
using GNUTLS_VERIFY_DISABLE_CA_SIGN doesn't help, I still get
GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM. Hm...
Is it possible that the gnutls installation is just too old or
something? Weird.
[larsi@stories /usr/include/gnutls]$ openssl s_client -connect
news.eternal-september.org:nntps
CONNECTED(00000003)
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing
Authority, emailAddress = support@cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=news.eternal-september.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGLDCCBBSgAwIBAgIDEdYnMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE2MDMxMTAzMzUyMFoXDTE2MDkwNzAzMzUyMFowJTEj
MCEGA1UEAxMabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwggIgMA0GCSqGSIb3
DQEBAQUAA4ICDQAwggIIAoIB/yjsWrb5ftbIGzSCTRyYRyH+CcwR2FkVXaK331KM
8bULtWrbOGj8Ig5iMSP1+y7GQxX5WPErSduJI2fnp//TElb0FlmqShkNesSc3os1
Jng+aSbpYmnHhR0QHLt+wB9PG1WslD2fsyCHQnkAMNF7wtDyZ3N5YJveQHd9OjR1
LC4GwlHNWaRh2b1IEY/glO5+xXnrXMJLYLWv6Qj5rWpPNb/pn2hQT06sCdOLd/zP
MND0/G7cg4KSasRCFEMl8sMO4/013ZelBoBYQRkJs7LQFKfk4I3Xv97BZu0w/VNu
yQUShJDzaa9+JWM56eLP52rkK4uic++z3kF9ehhE5UrEMFDPusBcyJ+GehSvJXx/
YUq8QejYvKL+7K+nAvQDioUjc3GfvW3CoFbuH4vTK+4H2N9BAsUi3NbSmCxAVYuy
FNJgapAvPrJrgsQshHWJcHdcDbIFBmTqsemK/9Fs2CPFPGr0ckmhu+zDkUBWGqoK
JTW1nKU+Szf5+NVgNf9GxVv3HoLtRibAAH1eRVGursZc5Sy9p9pRuFVEwBkJUpC6
P+2u8b768VJsruQOwccWy4+QH0Mq/xxVKP5b4Fq3tP0CSBhsJD88QdgptCgHArKw
axJ8DlcOwY7BhcCEMpjN4lArZZMERWHCYEhIvdHMVCXZD8aLnoio4YhdFGdEpvgN
/sUCAwEAAaOCAREwggENMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQG
A1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3
CgMDMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZy8wMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3Jn
L3Jldm9rZS5jcmwwTwYDVR0RBEgwRoIabmV3cy5ldGVybmFsLXNlcHRlbWJlci5v
cmegKAYIKwYBBQUHCAWgHAwabmV3cy5ldGVybmFsLXNlcHRlbWJlci5vcmcwDQYJ
KoZIhvcNAQENBQADggIBAK9hEHAl5w+8s/ZISK2LBv3mvPBmOEfcwhhCBzlDn5S1
/sUot+tPVv1AUF5Z7p21E9HiLRr69C038imk8wD9kTIGakW+o4izC57lpMCklKFc
Qfqi/YQmCIeIbXQAxaMdANyz/HpajhhHtOmSYjcUrXWFds/Bm1hJzHb+rFSFnL7Y
GN2gogeLzgEcTZMPIrmzoCGqkal4+guWnj3Fc5bXWgc9CBbVHOV9WAyFhhRPwbVl
w87uVpGjHoA2epzirdtc6KcLZCymCCCHYHTUJ8F9f6W/IJtIKdtw4G2/1z7lz2v3
Coo7mXKY8n/tgCUUBZfcCalkL//5MCdf746XM9uJxdibDSnf8vdpQKx4Otf0W3h7
/zGIntpuUxWwwGCCdknTVagT2+XhhpHqBPgQYKm87zmbzweg2RMqRzXIq81+Gxz0
UkKHyJJsec421m+smZDdsjYMvc+FWsbuKXjnjzDwEj2TuxPYIaUJQAvj+ZnlBP8Y
fXZYD/ykrH9v4YGO7BtGRi0NY3Hs1tMIOSo2Ran0LmeQbGFpDPLvgUzg3Ta9RkYY
9FY6Bm6WHd5EVVXdL/m5OlC+50FqXWpkizmVsm6SpWcKzUSn1rQpTqd4wegsg1fw
CurbHkgkP56yPFj8SdXfNdP34YBXEiSI4ZEFM9CS/wsVKm8SE4TnIRDjN39i7ad1
-----END CERTIFICATE-----
subject=/CN=news.eternal-september.org
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 4358 bytes and written 416 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4086 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 79FA1DD8A295D1D96475BE1818E88C3C28059A074AA8B743871B48243C203072
Session-ID-ctx:
Master-Key:
156AF5671933E472B5B2E5ACAED0FB40B6F4EE997F9F2DABA13F548E9B64DB4565C4FD9B7D9539AF0D7A77B64E3942F4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 65 10 86 c0 3b 81 89 d6-b6 63 74 7a c6 9d 9b 3b e...;....ctz...;
0010 - a8 38 e2 4a dc 47 96 f6-90 b5 37 6b 33 dc 73 2b .8.J.G....7k3.s+
0020 - 9c fb 97 e9 fc de 22 70-b7 da 76 0b 92 f3 94 72 ......"p..v....r
0030 - 49 c5 ac 15 9f a3 5f 1e-e9 c6 19 b1 ed 16 1d 50 I....._........P
0040 - 8a 0a 74 70 8e 97 ed 09-04 99 3d 75 cd 4d 46 15 ..tp......=u.MF.
0050 - 93 b1 31 50 e0 28 bc b3-dd da 46 2c ac 00 47 88 ..1P.(....F,..G.
0060 - a5 c3 b1 ad e1 86 d8 f3-85 c8 c3 9e c5 cf bb 9d ................
0070 - 93 14 8d c6 de c9 ff 7e-f6 45 99 35 cb 83 41 ab .......~.E.5..A.
0080 - 97 06 11 85 4a ee 76 a5-f4 1b 11 17 98 dd ec aa ....J.v.........
0090 - f2 48 d4 b6 2d 2e 16 a9-53 03 c1 96 96 31 ba ab .H..-...S....1..
Start Time: 1461506257
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
- bug#23027: 25.1.50; Emacs refuses to talk to eternal-september because they now use an MD5 certificate, apparently,
Lars Magne Ingebrigtsen <=