NetBSD Problem Report #49040
From martin@duskware.de Sun Jul 27 11:13:40 2014
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 47F86A7BE9
for <gnats-bugs@gnats.NetBSD.org>; Sun, 27 Jul 2014 11:13:40 +0000 (UTC)
Date: Sun, 27 Jul 2014 13:13:34 CEST
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: pkgsrc fails to fetch via https from github
X-Send-Pr-Version: 3.95
>Number: 49040
>Category: lib
>Synopsis: openssl incompatible with github
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jul 27 11:15:00 +0000 2014
>Closed-Date: Sun Jan 01 17:49:52 +0000 2017
>Last-Modified: Sun Jan 01 17:49:52 +0000 2017
>Originator: Martin Husemann
>Release: NetBSD 6.99.49
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD night-owl.duskware.de 6.99.49 NetBSD 6.99.49 (NIGHT-OWL) #268: Sat Jul 26 16:50:44 CEST 2014 martin@night-owl.duskware.de:/usr/src/sys/arch/amd64/compile/NIGHT-OWL amd64
Architecture: x86_64
Machine: amd64
>Description:
Trying to fetch the "rhino" part of pkgsrc/lang/openjdk7 fails to fetch
https://github.com/downloads/mozilla/rhino/rhino1_7R4.zip
with unparsable error messages like:
140187570456068:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c:762:
This is an unacceptable error message from a user perspective.
Trying wget instead, the error is:
Resolving github.com (github.com)... 192.30.252.129
Connecting to github.com (github.com)|192.30.252.129|:443... connected.
ERROR: cannot verify github.com's certificate, issued by '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
and using --no-check-certificate successfully downloads the file.
>How-To-Repeat:
make do-fetch in pkgsrc/lang/openjdk7
>Fix:
n/a
>Release-Note:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/49040
Date: Sun, 27 Jul 2014 13:46:18 +0200
I did the mozilla-rootcerts dance (install package, run install, deinstall
package) and now wget can fetch the url even when checking the cert.
However, built-in ftp still fails with the unparsable openssl errors.
Martin
From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc:
Subject: Re: pkg/49040: pkgsrc fails to fetch via https from github
Date: Sun, 27 Jul 2014 13:58:13 +0200
On Sun, Jul 27, 2014 at 11:15:00AM +0000, martin@NetBSD.org wrote:
> Trying to fetch the "rhino" part of pkgsrc/lang/openjdk7 fails to fetch
> https://github.com/downloads/mozilla/rhino/rhino1_7R4.zip
> with unparsable error messages like:
>
> 140187570456068:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c:762:
>
> This is an unacceptable error message from a user perspective.
I read that github's certificate expired.
Thomas
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/49040
Date: Sun, 27 Jul 2014 14:48:51 +0200
Trying with:
openssl s_client -connect cloud.github.com:https
doesn't even get to the point where the server certificate could be
verified. I guess something with the openssl in -current is incompatible
with the github servers.
Martin
Responsible-Changed-From-To: pkg-manager->lib-bug-people
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sun, 27 Jul 2014 14:31:41 +0000
Responsible-Changed-Why:
Seems to be an openssl problem, unrelated to pkgsrc
From: "John D. Baker" <jdbaker@mylinuxisp.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/49040
Date: Sun, 27 Jul 2014 09:46:57 -0500 (CDT)
Not specifically about this PR, but perhaps a data point:
Recenctly, fetching from my external mailhost using 'fetchmail' with
POP3S started reporting that the CA (DigiCert) root certificate with
which the server's certificate was signed was not available
("/etc/openssl/certs") when just an hour before it worked without
problems.
This is on NetBSD/sparc-6.1_STABLE. Yes, the certs are there and their
hashed links as well. Refetching the indicated Root Certificate from
DigiCert's web site showed it to be identical to the one I already had.
Unless it's been fixed, the last time I tried to fetch the distfile for
"security/mozilla-rootcerts", it was missing from all sites/mirrors.
--
|/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X
|\ / jdbaker[snail]mylinuxisp[flyspeck]com OpenBSD FreeBSD
| X No HTML/proprietary data in email. BSD just sits there and works!
|/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sun, 01 Jan 2017 17:49:52 +0000
State-Changed-Why:
close as requested by martin. this no longer seems to be an issue.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.