From owner-freebsd-stable@freebsd.org Fri Jun 17 07:53:27 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74CBAA77661 for ; Fri, 17 Jun 2016 07:53:27 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 06AE71BB8 for ; Fri, 17 Jun 2016 07:53:27 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id D21854786 for ; Fri, 17 Jun 2016 07:53:21 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/D21854786; dkim=none; dkim-atps=neutral Subject: Re: new certificate for svn.freebsd.org? To: freebsd-stable@freebsd.org References: <20160616232110.GA47529@lyxys.ka.sub.org> From: Matthew Seaman Message-ID: <0da160bc-c923-4547-7cee-57d7e23af819@FreeBSD.org> Date: Fri, 17 Jun 2016 08:53:15 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <20160616232110.GA47529@lyxys.ka.sub.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="gfs9GqiEM2EuOw8lHwg7prFjESq6gImmL" X-Virus-Scanned: clamav-milter 0.99.2 at smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2016 07:53:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gfs9GqiEM2EuOw8lHwg7prFjESq6gImmL Content-Type: multipart/mixed; boundary="aGIDiUQdk13jFHp9OmuQ92Hjir7bBTbhE" From: Matthew Seaman To: freebsd-stable@freebsd.org Message-ID: <0da160bc-c923-4547-7cee-57d7e23af819@FreeBSD.org> Subject: Re: new certificate for svn.freebsd.org? References: <20160616232110.GA47529@lyxys.ka.sub.org> In-Reply-To: <20160616232110.GA47529@lyxys.ka.sub.org> --aGIDiUQdk13jFHp9OmuQ92Hjir7bBTbhE Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 17/06/2016 00:21, Wolfgang Zenker wrote: > I'm getting presented a new SSL certificate for svn.freebsd.org. > Like the previous one, it can not be verified by svnlite on any > of my 10-STABLE machines, though ca_root_nss is installed. But > the previous certificate at least matched the fingerprint given > on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html The certificate was renewed yesterday -- a routine renewal as the cert was due to expire within a week. Looks like the documentation is (as ever) lagging behind. Not sure why you can't validate the Gandi cert -- presumably this is due to missing an intermediate certificate from Gandi which isn't in the ca_root_nss collection. In those cases, the server should provide the intermediate certificates as well as the site certificate, which it does. (You can use 'openssl s_client' to test, amongst other methods.) This points towards an error in certificate validation in the svnlite cod= e. Cheers, Matthew --aGIDiUQdk13jFHp9OmuQ92Hjir7bBTbhE-- --gfs9GqiEM2EuOw8lHwg7prFjESq6gImmL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXY6xxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT9ygP/3bG5VTkcUGnPrkW1nF5N6o6 pNy+SsJ7v9CtblTpLzfOUi+/KogDXPrZN5qsnjD0Ch/tKipaaZbhPy/bucIP0uT6 3bd5kb2p3SKbqNyHkdQxJsYK+flyg2bUev8RtcJAvni+t2+3r18IQNg+g2D8igof IMtX0YicUcLW1GrYdRnFu7YSHnv73+OBtrWlbYRlKIYnxtPLHMvprfAhnXBxdBBu ZxTuNUexApa6bP+JUxYWkhFpTvgh25GYIqGh9GrPtSmd4rjM/i2F94WKS+r035VP gci10irm5uOay/ei+kGcx0O7xsj3BWrxzEB5aZvPQu5MUpacJN+Uym/cNpLi2Db/ j5fhmp/Y+4kjfM0FUlnD2WugkV0JX2GfI2QoFgDmUehEocWd+xsBphzQD9EGre6l FRSPGki0F7EvUV7Y1x8w42KOTqdE4XmYKxvJ7mH1RpIltz4+I2TolFXomK/UHPIS e4dYcgZSt4ukCi/nmoIg3cYU/ivZjs3AcKYhVn4Gck+vjTGi+wUxZf+2F++SB9tz JCkuwV6+IejXKzHfoCdfos2wYT3neU3dhKYsXC55PfsClgIqqI3VuTbBOwqUTc0/ HHjvuNUUP4saV5nc5X/6HE+lDpkwmV259f34kdhjsFGnZFP4l76aj2bkX2CgiJKc nuI0qNcE4FPfN1LiKZ/3 =dhsd -----END PGP SIGNATURE----- --gfs9GqiEM2EuOw8lHwg7prFjESq6gImmL--