Date: Wed, 05 Oct 2016 10:59:13 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 213226] security/ca_root_nss: 3.27 is missing cert for googlecode.com Message-ID: <bug-213226-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213226 Bug ID: 213226 Summary: security/ca_root_nss: 3.27 is missing cert for googlecode.com Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: dch@skunkwerks.at Assignee: ports-secteam@FreeBSD.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) after update from 3.26 -> 3.27, google sites such as googlecode.com no long= er work over https. examples follow.=20 curl -vs https://go.googlesource.com/tools/ > /dev/null ... * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt ... * SSL certificate problem: unable to get local issuer certificate ## versions ``` dch@wintermute /u/l/s/certs> uname -a FreeBSD wintermute.skunkwerks.at 11.0-RELEASE FreeBSD 11.0-RELEASE #0 r3062= 11: Thu Sep 22 21:43:30 UTC 2016=20=20=20=20 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 dch@wintermute /u/l/s/certs> pkg info ca_root_nss libressl curl ca_root_nss-3.27 libressl-2.4.3 curl-7.50.3 $ pkg info curl curl-7.50.3 Name : curl Version : 7.50.3 Installed on : Wed Oct 5 10:53:54 2016 UTC Origin : ftp/curl Architecture : freebsd:11:x86:64 Prefix : /usr/local Categories : ipv6 ftp www Licenses : MIT Maintainer : sunpoet@FreeBSD.org WWW : http://curl.haxx.se/ Comment : Non-interactive tool to get files from FTP, GOPHER, HTTP(S) servers Options : CARES : off CA_BUNDLE : on COOKIES : on CURL_DEBUG : off DEBUG : off DOCS : on EXAMPLES : on GNUTLS : off GSSAPI_BASE : off GSSAPI_HEIMDAL : off GSSAPI_MIT : on GSSAPI_NONE : off HTTP2 : on IDN : off IPV6 : on LDAP : off LDAPS : off LIBSSH2 : off METALINK : off NSS : off OPENSSL : on POLARSSL : off PROXY : on PSL : off RTMP : off THREADED_RESOLVER: on TLS_SRP : off WOLFSSL : off Shared Libs required: libcom_err.so.3.0 libssl.so.39 libk5crypto.so.3.1 libnghttp2.so.14 libgssapi_krb5.so.2.2 libkrb5.so.3.3 libcrypto.so.38 Shared Libs provided: libcurl.so.4 Annotations : cpe : cpe:2.3:a:haxx:curl:7.50.3:::::freebsd11:x64 repo_type : binary repository : pkg.domarino.com Flat size : 5.09MiB Description : curl is a client to get documents/files from servers, using any of the supported protocols. The command is designed to work without user interaction or any kind of interactivity. curl offers a busload of useful tricks like proxy support, user authentication, ftp upload, HTTP post, SSL (https:) connections, file transfer resume and more. WWW: http://curl.haxx.se/ $ pkg info libressl libressl-2.4.3 Name : libressl Version : 2.4.3 Installed on : Wed Oct 5 10:53:26 2016 UTC Origin : security/libressl Architecture : freebsd:11:x86:64 Prefix : /usr/local Categories : security devel Licenses : BSD4CLAUSE Maintainer : brnrd@FreeBSD.org WWW : http://www.libressl.org/ Comment : Free version of the SSL/TLS protocol forked from OpenSSL Options : MAN3 : on NC : on Shared Libs provided: libssl.so.39 libtls.so.11 libcrypto.so.38 Annotations : cpe : cpe:2.3:a:openbsd:libressl:2.4.3:::::freebsd11:x64 repo_type : binary repository : pkg.domarino.com Flat size : 8.72MiB Description : LibreSSL is an open-source implementation of the Secure Sockets Layer (SSL)= and Transport Layer Security (TLS) protocols. It was forked from the OpenSSL cryptographic software library in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. LibreSSL was forked from the OpenSSL library starting with the 1.0.1g branch and will follow the security guidelines used elsewhere in the OpenBSD proje= ct. WWW: http://www.libressl.org/ $ pkg info ca_root_nss ca_root_nss-3.27 Name : ca_root_nss Version : 3.27 Installed on : Wed Oct 5 10:53:40 2016 UTC Origin : security/ca_root_nss Architecture : freebsd:11:* Prefix : /usr/local Categories : security Licenses : MPL Maintainer : ports-secteam@FreeBSD.org WWW : UNKNOWN Comment : Root certificate bundle from the Mozilla Project Options : ETCSYMLINK : on Annotations : repo_type : binary repository : pkg.domarino.com Flat size : 896KiB Description : Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. This port directly tracks the version of NSS in the security/nss port. $ ``` NB libressl version is unrelated; using libressl-2.4.2 with newer certs also fails. ## expected result (using ca_root_nss-3.26) ``` dch@wintermute /tmp> sudo pkg install -f /var/cache/pkg/ca_root_nss-3.26.txz Updating skunkwerks repository catalogue... skunkwerks repository is up-to-date. All repositories are up-to-date. Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: ca_root_nss: 3.26 Number of packages to be installed: 1 Proceed with this action? [y/N]: y [1/1] Installing ca_root_nss-3.26... [1/1] Extracting ca_root_nss-3.26: 100% Message from ca_root_nss-3.26: ********************************* WARNING ********************************* FreeBSD does not, and can not warrant that the certification authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Assessment and verification of trust is the complete responsibility of the system administrator. *********************************** NOTE ********************************** This package installs symlinks to support root certificates discovery by default for software that uses OpenSSL. This enables SSL Certificate Verification by client software without manual intervention. If you prefer to do this manually, replace the following symlinks with either an empty file or your site-local certificate bundle. * /etc/ssl/cert.pem * /usr/local/etc/ssl/cert.pem * /usr/local/openssl/cert.pem *************************************************************************** dch@wintermute /tmp> curl -vs https://go.googlesource.com/tools/ > /dev/null * Trying 2a00:1450:400c:c09::52... * TCP_NODELAY set * Connected to go.googlesource.com (2a00:1450:400c:c09::52) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STREN= GTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [100 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [3260 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [333 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [70 bytes data] * TLSv1.2 (OUT), TLS change cipher, Client hello (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS change cipher, Client hello (1): { [1 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 * ALPN, server accepted to use h2 * Server certificate: * subject: C=3DUS; ST=3DCalifornia; L=3DMountain View; O=3DGoogle Inc; CN=3D*.googlecode.com * start date: Sep 29 16:53:40 2016 GMT * expire date: Dec 22 16:37:00 2016 GMT * subjectAltName: host "go.googlesource.com" matched cert's "*.googlesource.com" * issuer: C=3DUS; O=3DGoogle Inc; CN=3DGoogle Internet Authority G2 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=3D0 * Using Stream ID: 1 (easy handle 0x801e7b500) > GET /tools/ HTTP/1.1 > Host: go.googlesource.com > User-Agent: curl/7.50.3 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 200 < strict-transport-security: max-age=3D31536000; includeSubDomains; preload < content-type: text/html; charset=3DUTF-8 < cache-control: no-cache, no-store, max-age=3D0, must-revalidate < pragma: no-cache < expires: Mon, 01 Jan 1990 00:00:00 GMT < date: Wed, 05 Oct 2016 10:26:25 GMT < x-content-type-options: nosniff < x-frame-options: SAMEORIGIN < x-xss-protection: 1; mode=3Dblock < server: GSE < alt-svc: quic=3D":443"; ma=3D2592000; v=3D"36,35,34,33,32" < { [1178 bytes data] * Curl_http_done: called premature =3D=3D 0 * Connection #0 to host go.googlesource.com left intact ## actual results using ca_root_nss-3.27 ``` dch@wintermute /u/l/s/certs> sudo pkg upgrade Updating skunkwerks repository catalogue... skunkwerks repository is up-to-date. All repositories are up-to-date. Checking for upgrades (5 candidates): 80% fish-2.2.0 is locked and may not be modified Checking for upgrades (5 candidates): 100% Processing candidates (5 candidates): 100% Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: ca_root_nss: 3.26 -> 3.27 Number of packages to be upgraded: 1 Proceed with this action? [y/N]: y [1/1] Upgrading ca_root_nss from 3.26 to 3.27... [1/1] Extracting ca_root_nss-3.27: 100% You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no lon= ger needed. You may need to manually remove /usr/local/openssl/cert.pem if it is no lon= ger needed. Message from ca_root_nss-3.27: ********************************* WARNING ********************************* FreeBSD does not, and can not warrant that the certification authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Assessment and verification of trust is the complete responsibility of the system administrator. *********************************** NOTE ********************************** This package installs symlinks to support root certificates discovery by default for software that uses OpenSSL. This enables SSL Certificate Verification by client software without manual intervention. If you prefer to do this manually, replace the following symlinks with either an empty file or your site-local certificate bundle. * /etc/ssl/cert.pem * /usr/local/etc/ssl/cert.pem * /usr/local/openssl/cert.pem *************************************************************************** dch@wintermute /u/l/s/certs> curl -vs https://go.googlesource.com/tools/ > /dev/null * Trying 2a00:1450:400c:c09::52... * TCP_NODELAY set * Connected to go.googlesource.com (2a00:1450:400c:c09::52) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STREN= GTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [100 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [3260 bytes data] * TLSv1.2 (OUT), TLS alert, Server hello (2): } [2 bytes data] * SSL certificate problem: unable to get local issuer certificate * Curl_http_done: called premature =3D=3D 1 * stopped the pause stream! * Closing connection 0 dch@wintermute /u/l/s/certs> ``` --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-213226-13>