From owner-freebsd-security@freebsd.org Thu Jun 18 22:21:20 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 039F3336109 for ; Thu, 18 Jun 2020 22:21:20 +0000 (UTC) (envelope-from lysfjord.daniel@smokepit.net) Received: from smtp-out.smokepit.net (smtp-out.smokepit.net [18.200.56.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49nxH30gmqz48rF for ; Thu, 18 Jun 2020 22:21:18 +0000 (UTC) (envelope-from lysfjord.daniel@smokepit.net) Received: from cm-84.215.44.163.getinternet.no ([84.215.44.163] helo=smokepit.net) by smtp-out.smokepit.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jm2uG-0004Kh-3n for freebsd-security@freebsd.org; Thu, 18 Jun 2020 22:21:12 +0000 Received: from yggdrasil.lan.smokepit.net ([10.0.0.200]) by smokepit.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jm2uF-0001ku-1G for freebsd-security@freebsd.org; Fri, 19 Jun 2020 00:21:11 +0200 Subject: Re: pkg.freebsd.org cert has expired :/ To: freebsd-security@freebsd.org References: <78327651-4041-80b3-e91a-e10b49606313@chroot.pl> <2FF82E5C-0503-49A5-899F-266AA9C1D9E0@tetlows.org> From: Daniel Lysfjord Message-ID: <0e54b182-cb7e-8241-1532-ed18e4bd1b9b@smokepit.net> Date: Fri, 19 Jun 2020 00:21:10 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <2FF82E5C-0503-49A5-899F-266AA9C1D9E0@tetlows.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Report: Action: no action Symbol: ARC_NA(0.00) Symbol: RCVD_VIA_SMTP_AUTH(0.00) Symbol: BAYES_HAM(-2.96) Symbol: FROM_HAS_DN(0.00) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: MIME_GOOD(-0.10) Symbol: TO_DN_NONE(0.00) Symbol: RCPT_COUNT_ONE(0.00) Symbol: RCVD_COUNT_ONE(0.00) Symbol: FROM_EQ_ENVFROM(0.00) Symbol: MIME_TRACE(0.00) Symbol: RCVD_TLS_ALL(0.00) Symbol: MID_RHS_MATCH_FROM(0.00) Message-ID: 0e54b182-cb7e-8241-1532-ed18e4bd1b9b@smokepit.net X-Rspamd-Queue-Id: 49nxH30gmqz48rF X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.33 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[smokepit.net:s=loke]; NEURAL_HAM_MEDIUM(-0.95)[-0.945]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:18.200.56.156]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.03)[-1.035]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[smokepit.net:+]; DMARC_POLICY_ALLOW(-0.50)[smokepit.net,reject]; NEURAL_HAM_SHORT(-0.35)[-0.348]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16509, ipnet:18.200.0.0/16, country:US]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[84.215.44.163:received] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2020 22:21:20 -0000 On 19.06.2020 00:14, Gordon Tetlow via freebsd-security wrote: > pkg.freebsd.org is a geographically distributed set of servers. Can you please go to https://pkg.freebsd.org/ or http://pkg.freebsd.org/ and tell us which mirror you are hitting that has an expired certificate? The mirror name should be on the page. Both those links point to pkg0.pkt.FreeBSD.org for me, and the certificate is indeed expired. openssl s_client -showcerts -connect pkg.freebsd.org:443 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = pkg.freebsd.org verify error:num=10:certificate has expired notAfter=Jun 18 21:10:03 2020 GMT verify return:1 depth=0 CN = pkg.freebsd.org notAfter=Jun 18 21:10:03 2020 GMT verify return:1 --- Certificate chain 0 s:CN = pkg.freebsd.org i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIGVTCCBT2gAwIBAgISBG8pJkS/eFYTLD9LtHd5rUS6MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAzMjAyMTEwMDNaFw0y MDA2MTgyMTEwMDNaMBoxGDAWBgNVBAMTD3BrZy5mcmVlYnNkLm9yZzCCAiIwDQYJ KoZIhvcNAQEBBQADggIPADCCAgoCggIBAL3uxdRoVra92Xgn1j40ndaB1bNBjXcv NYgydsOyudwqxMXW/ZW8llXUD4yvzeb47ztv9vkf70z+PffLeaPi1rHnWdNNIKml yEy7tAfAsHj66VdMzve9+5UIjMRJI537MySC9VA094wpFv7jzn/W+uvdldy2jCEy UJqwNY3L8rE0Bx40bhFtrGYbxYSGJJbWhh+ui9TLKKW9GwBarcOcA//ohdH4CnGO gljuVuLGOkMxKKJGJQMmwi9mCVpf7+tbG8eEp9aZuooSNbVXNKS4YvSPRrS+aiNA RL+L20hC9Jar/DYpGnUmRmeZccTxdsojP9O7bRJ3NdGSBIRM4AW7kchFDNUGMy+x pcnYvImOeSss+dNofAJ7XDoJSNvEqZydm/QeXyBXGDnnoeHghknay7sZOajUNTP1 jWKYlEZZMAZ3DUsGN+S5YWnN4kjNk+0Nhueb9jznX36C2EB9V2FSIgZN1ifp05+d 32tNFXqTIJKnChVlQkj4QYHSt0ePvaehTbHhvK0BfPxVK3YuT+pavJPb+I6gwLmN AK9M3nMZ3M6Y5vQdpLZYHl3+fPEafufUgYZYuIDmMwJl766Oy3rM/59ylMVzXfli 9tZLQtZASjwC5UEuJF5qBV44q1iG1QL+1tl6Fx82zdBSswhwMkv+9zFiCC+8vd4X HKdSKl0O9dfZAgMBAAGjggJjMIICXzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDe4 ey4hffSoQhBmlxDIpU0hc9V1MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z qOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50 LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50 LXgzLmxldHNlbmNyeXB0Lm9yZy8wGgYDVR0RBBMwEYIPcGtnLmZyZWVic2Qub3Jn MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB 9ASB8QDvAHYA5xLysDd+GmL7jskMYYTx6ns3y1YdESZb8+DzS/JBVG4AAAFw+f8A lQAABAMARzBFAiADngwLAr/KExfav7WaX7FtL/K7WnJR3vx9QOcDbuncowIhAJpP 3ndUkuNu8ntJpHzsSJqxAk6jLzyfyiDV4z+NY2E8AHUAB7dcG+V9aP/xsMYdIxXH uuZXfFeUt2ruvGE6GmnTohwAAAFw+f8A0AAABAMARjBEAiA0r6BBYUkj3nFg94lf J9xglkvmFc2V5AiuJ0ftnKcChQIgSs5l9/4d0E24xEWWek3OckEyKRV5Au6O9rjY GpBVWrQwDQYJKoZIhvcNAQELBQADggEBABibPoppPADf6XXm6567X44BtdpGr76L dHZaodbUeNE/w9gaTyUrS4RSlQC1h4y2RPr8/S52/DwzpABAwZ0uwUBdlx4985T2 Fh3CAcc7xkbuXiEP+9fLGrwuzcVYWT+5VxDlk55aHHjhbpsQzkVgmQJpX+NgEj0a Sr2j18XrJQhG8lORNeg52ZLLIzIzHSMwdu6ZhxYzi+6UIp4i81a3GnsLTLORdDxB r/pdOnAs2fg6drDQv3Vj+Fq9EWg99Tk/AqB4KCXVVQLgai0p2uXhcg6a7w6V6IOL 2dFBr4wsivjHRDxgacZCxV15Vi+8YfvHhX7unNqaKNBWUSBUP3sh0WA= -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- --- Server certificate subject=CN = pkg.freebsd.org issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3532 bytes and written 392 bytes Verification error: certificate has expired --- New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: 037A3AB0C5FD0B94C0B478FCB0A9BC58ED17869834DE78E4E82D1CE0AEA9CCFF Session-ID-ctx: Master-Key: D7BA3017ED61E04BD455062CEC8041444C2EFCB4593F0C4D8DDAE8DADEE827CBACC71DD5834EA4D645C4FD9AFACBC4DB PSK identity: None PSK identity hint: None SRP username: None Start Time: 1592518778 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: yes --- Regards, Daniel > > Gordon > >> On Jun 18, 2020, at 2:54 PM, Lukasz via freebsd-security wrote: >> >> Regards, >> >> Lukasz >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >