Bug#573736: marked as done (https SSL verification fails)

Thu, 25 Mar 2010 17:59:21 -0700 

Your message dated Thu, 25 Mar 2010 19:50:23 -0500
with message-id <[email protected]>
and subject line Re: Bug#573736: https SSL verification fails
has caused the Debian Bug report #573736,
regarding https SSL verification fails
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
573736: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573736
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: git-core
Version: 1:1.7.0-1
Severity: normal

On a sid system:

   git clone https://alioth.debian.org/anonscm/git/pkg-wml/pkg-wml.git
Initialized empty Git repository in /home/tg/shared/pkg-wml/.git/
error: server certificate verification failed. CAfile: 
/etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing 
https://alioth.debian.org/anonscm/git/pkg-wml/pkg-wml.git/info/refs

fatal: HTTP request failed


On the same system:

$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect 
alioth.debian.org:443
CONNECTED(00000003)
depth=2 /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public 
Interest/OU=hostmaster/CN=Certificate 
Authority/[email protected]
verify return:1
depth=1 /O=Debian/CN=ca.debian.org/[email protected]
verify return:1
depth=0 /O=Debian/CN=alioth.debian.org/[email protected]
verify return:1
---
Certificate chain
 0 s:/O=Debian/CN=alioth.debian.org/[email protected]
   i:/O=Debian/CN=ca.debian.org/[email protected]
 1 s:/C=US/ST=Indiana/L=Indianapolis/O=Software in the Public 
Interest/OU=hostmaster/CN=Certificate 
Authority/[email protected]
   i:/C=US/ST=Indiana/L=Indianapolis/O=Software in the Public 
Interest/OU=hostmaster/CN=Certificate 
Authority/[email protected]
 2 s:/O=Debian/CN=ca.debian.org/[email protected]
   i:/C=US/ST=Indiana/L=Indianapolis/O=Software in the Public 
Interest/OU=hostmaster/CN=Certificate 
Authority/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPTCCAyWgAwIBAgIBHjANBgkqhkiG9w0BAQUFADBRMQ8wDQYDVQQKEwZEZWJp
YW4xFjAUBgNVBAMTDWNhLmRlYmlhbi5vcmcxJjAkBgkqhkiG9w0BCQEWF2RlYmlh
bi1hZG1pbkBkZWJpYW4ub3JnMB4XDTA5MDUxNTEyNTg1NFoXDTEwMDUxNTEyNTg1
NFowVTEPMA0GA1UEChMGRGViaWFuMRowGAYDVQQDExFhbGlvdGguZGViaWFuLm9y
ZzEmMCQGCSqGSIb3DQEJARYXYWRtaW5AYWxpb3RoLmRlYmlhbi5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqnatyUbcynZ6+yMnkLtNo3/DmVF5H
S/FOVfECAhQwzgV8CJOJxl+zcGi4ganLulIEfbXTWToFliXxc0hnvUc6zNCHoHde
nFaRS1exGIHSpZf+1HuoOxTPuuBIZoux2l2xKXOuAdEoAnKNVCTKrxrvSYePcMsH
IFW2xhUF3mO9kf+uWF5557oImVtIteQ4UiHJzJjZe2atz1Tu6PGnxe/EcXnbj58U
ulHykXdNnYZGeoGZOUzsT80N/LHykvVQEbsQsq+aCzmSbnHVbgEsOkmrVOvd72pf
u2GFGu/6b8JAT3TW7lh2bTaHE9av1g3zLw4HsIK2Y4grW/ueNBHp2pVLAgMBAAGj
ggEaMIIBFjAJBgNVHRMEAjAAMB0GA1UdDgQWBBT3tF/sMO8Za4fX09pa8FWu/hBQ
OzCB6QYDVR0jBIHhMIHegBSnz0v6XxLGI3QunqOVkHWMzCZ2lqGBwqSBvzCBvDEL
MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFw
b2xpczEoMCYGA1UEChMfU29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDET
MBEGA1UECxMKaG9zdG1hc3RlcjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MSUwIwYJKoZIhvcNAQkBFhZob3N0bWFzdGVyQHNwaS1pbmMub3JnggEDMA0G
CSqGSIb3DQEBBQUAA4ICAQAj0F+8YDDJyJZqrAl6UnRfeeWGJw0zLafApe1i61Ex
LVbiudAuShgJfqLb52iB7aY8RiYBoCa6pWBt9K8QueAy35nT7LS5ApEF7dTzmXW9
pl4Oh2d0Oyj0O5zX0wzE9/Wcf+OM49zFZysUJRHcm9e2AFTiHaopgKj2X93u3It0
erKOwqdZsEmNElLAca9UmShK2mWhex6v8wDWRKlTqZvOxdWyHseBmfAPm4SQTIBH
kgWpmlnBgwnsm8jMPENEfHWqWKjRItWXQIFpLF0PlnXPXVtaYm+b7G8IggA4pHX3
RySvsYCt4SBcbzXtpO2zrIn/0GQGptV1mWvLAWDJe/x1xNQm3ZRzmBlvV9OzgN0b
qg/nXP7tPNTdhdNeHmH5cnag9rfToQIhjKsTYBX3HEzR5AuOLXqu2MdH2qS7qmUg
F0kVFGFQxW0L+ovU8B2CAjxglfY2Hz5i2HIOWs8b6MI6pJIwgd2oUo9XdJR6GDlJ
V7yofOgVaz1ywIUwIXBnb+lSs8N0HFdT97eNz7vHE1YoD5uTei9+VB1ewWp5HWfx
0b5Y3Y9NP9jcc+mojXm2rI5Poxd836oRkFi7c7QNgpw0OVQBwWihzDSFSew3ebjB
29mLkaakjEAfF1DsS0Wi1PJS3nQDKYYbN79au6NeI97Vrkxr4Kq9CKXqY3tMUq54
ZQ==
-----END CERTIFICATE-----
subject=/O=Debian/CN=alioth.debian.org/[email protected]
issuer=/O=Debian/CN=ca.debian.org/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 5873 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1F8089E9770D7935451E33149FC5996F5318C5D11CC649BA6DADFCA34EB1C8B8
    Session-ID-ctx:
    Master-Key: 
48277EF434E495701C3D285284581114FB60221310DD57B48B1A4B4EA0A7979A66FCE49F4F6532B8D7CA735739E5AE94
    Key-Arg   : None
    Start Time: 1268488768
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
QUIT
DONE


So this is not a problem with the ca bundle. I think this is
because it doesn't correctly validate the chain or something.
Same on Lenny, FWIW.

bye,
//mirabilos, sitting at Debian booth at Chemnitzer Linuxtage

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages git-core depends on:
ii  libc6                   2.10.2-6         Embedded GNU C Library: Shared lib
ii  libcurl3-gnutls         7.20.0-1         Multi-protocol file transfer libra
ii  libdigest-sha1-perl     2.12-1           NIST SHA-1 message digest algorith
ii  liberror-perl           0.17-1           Perl module for error/exception ha
ii  libexpat1               2.0.1-7          XML parsing C library - runtime li
ii  perl-modules            5.10.1-11        Core Perl modules
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages git-core recommends:
ii  less                          436-1      pager program similar to more
ii  openssh-client [ssh-client]   1:5.3p1-3  secure shell (SSH) client, for sec
ii  patch                         2.6-2      Apply a diff file to an original
ii  rsync                         3.0.7-2    fast remote file copy program (lik

Versions of packages git-core suggests:
pn  git-arch                      <none>     (no description available)
pn  git-cvs                       <none>     (no description available)
pn  git-daemon-run                <none>     (no description available)
pn  git-doc                       <none>     (no description available)
pn  git-email                     <none>     (no description available)
pn  git-gui                       <none>     (no description available)
pn  git-svn                       <none>     (no description available)
pn  gitk                          <none>     (no description available)
pn  gitweb                        <none>     (no description available)

-- no debconf information

--- End Message ---
--- Begin Message --- 
Simon Josefsson wrote:

> It seems alioth.debian.org is configured incorrectly, the chain it is
> sending isn't sorted in the right order:

Thanks for the analysis.  I’ve added it to the Alioth request tracker [1].

It would be nice if this had been easier to diagnose; I’ll file a
separate report for that.  Thanks for all the help.

Cheers,
Jonathan

[1] 
https://alioth.debian.org/tracker/index.php?func=detail&aid=312415&group_id=1&atid=200001

--- End Message ---

Reply via email to