NetBSD Problem Report #49040

From martin@duskware.de  Sun Jul 27 11:13:40 2014
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 47F86A7BE9
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 27 Jul 2014 11:13:40 +0000 (UTC)
Date: Sun, 27 Jul 2014 13:13:34 CEST
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: pkgsrc fails to fetch via https from github
X-Send-Pr-Version: 3.95

>Number:         49040
>Category:       lib
>Synopsis:       openssl incompatible with github
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 27 11:15:00 +0000 2014
>Closed-Date:    Sun Jan 01 17:49:52 +0000 2017
>Last-Modified:  Sun Jan 01 17:49:52 +0000 2017
>Originator:     Martin Husemann
>Release:        NetBSD 6.99.49
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD night-owl.duskware.de 6.99.49 NetBSD 6.99.49 (NIGHT-OWL) #268: Sat Jul 26 16:50:44 CEST 2014 martin@night-owl.duskware.de:/usr/src/sys/arch/amd64/compile/NIGHT-OWL amd64
Architecture: x86_64
Machine: amd64
>Description:

Trying to fetch the "rhino" part of pkgsrc/lang/openjdk7 fails to fetch
https://github.com/downloads/mozilla/rhino/rhino1_7R4.zip
with unparsable error messages like:

140187570456068:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c:762:

This is an unacceptable error message from a user perspective.

Trying wget instead, the error is:

Resolving github.com (github.com)... 192.30.252.129
Connecting to github.com (github.com)|192.30.252.129|:443... connected.
ERROR: cannot verify github.com's certificate, issued by '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.

and using --no-check-certificate successfully downloads the file.

>How-To-Repeat:
make do-fetch in pkgsrc/lang/openjdk7

>Fix:
n/a

>Release-Note:

>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/49040
Date: Sun, 27 Jul 2014 13:46:18 +0200

 I did the mozilla-rootcerts dance (install package, run install, deinstall
 package) and now wget can fetch the url even when checking the cert.

 However, built-in ftp still fails with the unparsable openssl errors.

 Martin

From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: pkg/49040: pkgsrc fails to fetch via https from github
Date: Sun, 27 Jul 2014 13:58:13 +0200

 On Sun, Jul 27, 2014 at 11:15:00AM +0000, martin@NetBSD.org wrote:
 > Trying to fetch the "rhino" part of pkgsrc/lang/openjdk7 fails to fetch
 > https://github.com/downloads/mozilla/rhino/rhino1_7R4.zip
 > with unparsable error messages like:
 > 
 > 140187570456068:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c:762:
 > 
 > This is an unacceptable error message from a user perspective.

 I read that github's certificate expired.
  Thomas

From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/49040
Date: Sun, 27 Jul 2014 14:48:51 +0200

 Trying with:

 openssl s_client -connect cloud.github.com:https

 doesn't even get to the point where the server certificate could be
 verified. I guess something with the openssl in -current is incompatible
 with the github servers.

 Martin

Responsible-Changed-From-To: pkg-manager->lib-bug-people
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sun, 27 Jul 2014 14:31:41 +0000
Responsible-Changed-Why:
Seems to be an openssl problem, unrelated to pkgsrc


From: "John D. Baker" <jdbaker@mylinuxisp.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/49040
Date: Sun, 27 Jul 2014 09:46:57 -0500 (CDT)

 Not specifically about this PR, but perhaps a data point:

 Recenctly, fetching from my external mailhost using 'fetchmail' with
 POP3S started reporting that the CA (DigiCert) root certificate with
 which the server's certificate was signed was not available
 ("/etc/openssl/certs") when just an hour before it worked without
 problems.

 This is on NetBSD/sparc-6.1_STABLE.  Yes, the certs are there and their
 hashed links as well.  Refetching the indicated Root Certificate from
 DigiCert's web site showed it to be identical to the one I already had.

 Unless it's been fixed, the last time I tried to fetch the distfile for
 "security/mozilla-rootcerts", it was missing from all sites/mirrors.

 -- 
 |/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
 |\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
 | X  No HTML/proprietary data in email.   BSD just sits there and works!
 |/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645

State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sun, 01 Jan 2017 17:49:52 +0000
State-Changed-Why:
close as requested by martin. this no longer seems to be an issue.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.