On Tue, Jun 19, 2007 at 05:43:20AM +0000, Taylor R Campbell wrote: > I just fetched Savannah's x.509 certificates from > <http://savannah.gnu.org/tls/> and verified the signed PGP message > containing the fingerprints. I first noticed that that there's a > fingerprint for `cvs.*gnu.org', without any link to a certificate > above. Then I checked the fingerprints on all the certificates, and > found that while the certificate authority matched the fingerprint > listed in the signed PGP message, the other two didn't. Here are the > fingerprints that the signed PGP message claims: > > savannah.gnu.org: > * SHA1 Fingerprint=59:62:0B:EF:A2:AA:FE:C1:6B:39:CB:A5:90:65:42:F5:81:A2:AE:A9 > * MD5 Fingerprint=93:9C:BC:3C:2D:7C:42:D4:B1:15:B1:B6:B6:ED:EC:A0 > savannah.nongnu.org: > * SHA1 Fingerprint=B9:8A:FE:4B:B8:B5:27:BF:44:71:7A:28:23:19:38:3A:34:E6:83:E0 > * MD5 Fingerprint=07:EA:E7:86:B0:0F:F0:0F:7F:AC:82:2C:2E:F2:1B:C3 > > Here are the actual fingerprints that I obtained with `openssl x509 > -fingerprint -noout -in ...', with and without the `-sha1' option to > alter between MD5 and SHA1: > > savannah.gnu.org: > * SHA1 Fingerprint=5C:09:4A:82:12:06:20:89:CF:5F:F2:FC:AE:6A:2C:54:7B:8E:EA:5E > * MD5 Fingerprint=E2:4A:D7:0D:5F:53:A2:54:3A:CA:8B:01:DD:60:91:A4 > savannah.nongnu.org: > * SHA1 Fingerprint=CA:06:57:BF:5B:35:94:0E:98:1B:28:81:83:47:BB:07:F4:EC:7B:D1 > * MD5 Fingerprint=52:34:FD:6B:42:19:0A:E3:AD:8D:85:37:FF:ED:1B:72 > > I'm not wizardly enough with OpenSSL to make it verify whether a > certificate was, in fact, signed by an issuer, to check the validity > of the savannah.gnu.org and savannah.nongnu.org certificates against > Savannah's certificate authority. I don't doubt that they were, but > is there any reason why the fingerprints do not match?
Yes, the page had links to download outdated certificates from last year (the fingerprints are up-to-date). I fixed the page and added instructions on how to display/check the certificates using GnuTLS, and also how to extract the certificate out of the running server. -- Sylvain _______________________________________________ Savannah-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/savannah-users
