[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS certificate on elpa.gnu.org

From: Eli Zaretskii
Subject: Re: TLS certificate on elpa.gnu.org
Date: Sun, 04 Feb 2018 18:29:29 +0200

> From: Neil Okamoto <address@hidden>
> Date: Sat, 3 Feb 2018 19:13:03 -0800
> elpa.gnu.org seems to be malformed in a way that causes some SSL analyzers to 
> warn about “extra certs”.  
> For instance https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org 
> reports
> Certificates provided | 3 (3732 bytes)
> Chain issues | Incorrect order, Extra certs
> And of the three certificates found, it appears certificate[0] and 
> certificate[1] are identical. Is the duplication
> considered "out of order?”
> Because indeed, on older variants of Ubuntu where gnutls-cli v2.12.23 is in 
> use (this is the case for the
> container infrastructure on Travis CI), we have this:
> # gnutls-cli -v
> gnutls-cli (GnuTLS) 2.12.23
> Packaged by Debian (2.12.23-12ubuntu2.8)
> Copyright (C) 2012 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.

Isn't this an awfully old version of GnuTLS?  I have here 3.4.15, and
it doesn't complain about the GNU ELPA certificate.  It says "Status:
The certificate is trusted."

> It’s causing me to introduce workarounds, such as downloading a newer gnutls 
> source package and
> compiling it locally in the Travis CI build. I would really prefer not to do 
> this. It adds unnecessary time and
> complexity to the CI setup for some Emacs packages, and (conversely) one can 
> imagine other Emacs
> package maintainers may be avoiding the complexity by not implementing CI for 
> their projects.
> Can someone more knowledgable about the standards, the evolution of gnutls 
> since 2.12, and the server
> configuration of elope.gnu.org please weigh in on this?

I'm not such an expert on this, but in general, security assumes
latest versions of related software and databases.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]