Site Navigation

Date:      Fri, 19 Jun 2020 00:21:10 +0200
From:      Daniel Lysfjord <lysfjord.daniel@smokepit.net>
To:        freebsd-security@freebsd.org
Subject:   Re: pkg.freebsd.org cert has expired :/
Message-ID:  <0e54b182-cb7e-8241-1532-ed18e4bd1b9b@smokepit.net>
In-Reply-To: <2FF82E5C-0503-49A5-899F-266AA9C1D9E0@tetlows.org>
References:  <78327651-4041-80b3-e91a-e10b49606313@chroot.pl> <2FF82E5C-0503-49A5-899F-266AA9C1D9E0@tetlows.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 19.06.2020 00:14, Gordon Tetlow via freebsd-security wrote:
> pkg.freebsd.org <http://pkg.freebsd.org/>; is a geographically distributed set of servers. Can you please go to https://pkg.freebsd.org/ <https://pkg.freebsd.org/>; or http://pkg.freebsd.org/ <http://pkg.freebsd.org/>; and tell us which mirror you are hitting that has an expired certificate? The mirror name should be on the page.

Both those links point to pkg0.pkt.FreeBSD.org for me, and the 
certificate is indeed expired.


openssl s_client -showcerts -connect pkg.freebsd.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = pkg.freebsd.org
verify error:num=10:certificate has expired
notAfter=Jun 18 21:10:03 2020 GMT
verify return:1
depth=0 CN = pkg.freebsd.org
notAfter=Jun 18 21:10:03 2020 GMT
verify return:1
---
Certificate chain
  0 s:CN = pkg.freebsd.org
    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGVTCCBT2gAwIBAgISBG8pJkS/eFYTLD9LtHd5rUS6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAzMjAyMTEwMDNaFw0y
MDA2MTgyMTEwMDNaMBoxGDAWBgNVBAMTD3BrZy5mcmVlYnNkLm9yZzCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAL3uxdRoVra92Xgn1j40ndaB1bNBjXcv
NYgydsOyudwqxMXW/ZW8llXUD4yvzeb47ztv9vkf70z+PffLeaPi1rHnWdNNIKml
yEy7tAfAsHj66VdMzve9+5UIjMRJI537MySC9VA094wpFv7jzn/W+uvdldy2jCEy
UJqwNY3L8rE0Bx40bhFtrGYbxYSGJJbWhh+ui9TLKKW9GwBarcOcA//ohdH4CnGO
gljuVuLGOkMxKKJGJQMmwi9mCVpf7+tbG8eEp9aZuooSNbVXNKS4YvSPRrS+aiNA
RL+L20hC9Jar/DYpGnUmRmeZccTxdsojP9O7bRJ3NdGSBIRM4AW7kchFDNUGMy+x
pcnYvImOeSss+dNofAJ7XDoJSNvEqZydm/QeXyBXGDnnoeHghknay7sZOajUNTP1
jWKYlEZZMAZ3DUsGN+S5YWnN4kjNk+0Nhueb9jznX36C2EB9V2FSIgZN1ifp05+d
32tNFXqTIJKnChVlQkj4QYHSt0ePvaehTbHhvK0BfPxVK3YuT+pavJPb+I6gwLmN
AK9M3nMZ3M6Y5vQdpLZYHl3+fPEafufUgYZYuIDmMwJl766Oy3rM/59ylMVzXfli
9tZLQtZASjwC5UEuJF5qBV44q1iG1QL+1tl6Fx82zdBSswhwMkv+9zFiCC+8vd4X
HKdSKl0O9dfZAgMBAAGjggJjMIICXzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDe4
ey4hffSoQhBmlxDIpU0hc9V1MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z
qOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50
LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50
LXgzLmxldHNlbmNyeXB0Lm9yZy8wGgYDVR0RBBMwEYIPcGtnLmZyZWVic2Qub3Jn
MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB
9ASB8QDvAHYA5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4AAAFw+f8A
lQAABAMARzBFAiADngwLAr/KExfav7WaX7FtL/K7WnJR3vx9QOcDbuncowIhAJpP
3ndUkuNu8ntJpHzsSJqxAk6jLzyfyiDV4z+NY2E8AHUAB7dcG+V9aP/xsMYdIxXH
uuZXfFeUt2ruvGE6GmnTohwAAAFw+f8A0AAABAMARjBEAiA0r6BBYUkj3nFg94lf
J9xglkvmFc2V5AiuJ0ftnKcChQIgSs5l9/4d0E24xEWWek3OckEyKRV5Au6O9rjY
GpBVWrQwDQYJKoZIhvcNAQELBQADggEBABibPoppPADf6XXm6567X44BtdpGr76L
dHZaodbUeNE/w9gaTyUrS4RSlQC1h4y2RPr8/S52/DwzpABAwZ0uwUBdlx4985T2
Fh3CAcc7xkbuXiEP+9fLGrwuzcVYWT+5VxDlk55aHHjhbpsQzkVgmQJpX+NgEj0a
Sr2j18XrJQhG8lORNeg52ZLLIzIzHSMwdu6ZhxYzi+6UIp4i81a3GnsLTLORdDxB
r/pdOnAs2fg6drDQv3Vj+Fq9EWg99Tk/AqB4KCXVVQLgai0p2uXhcg6a7w6V6IOL
2dFBr4wsivjHRDxgacZCxV15Vi+8YfvHhX7unNqaKNBWUSBUP3sh0WA=
-----END CERTIFICATE-----
  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = pkg.freebsd.org

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3532 bytes and written 392 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-CHACHA20-POLY1305
     Session-ID: 
037A3AB0C5FD0B94C0B478FCB0A9BC58ED17869834DE78E4E82D1CE0AEA9CCFF
     Session-ID-ctx:
     Master-Key: 
D7BA3017ED61E04BD455062CEC8041444C2EFCB4593F0C4D8DDAE8DADEE827CBACC71DD5834EA4D645C4FD9AFACBC4DB
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1592518778
     Timeout   : 7200 (sec)
     Verify return code: 10 (certificate has expired)
     Extended master secret: yes
---

Regards,

Daniel

> 
> Gordon
> 
>> On Jun 18, 2020, at 2:54 PM, Lukasz via freebsd-security <freebsd-security@freebsd.org> wrote:
>>
>> Regards,
>>
>> Lukasz
>> _______________________________________________
>> freebsd-security@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
> 

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0e54b182-cb7e-8241-1532-ed18e4bd1b9b>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact