From owner-freebsd-hackers@freebsd.org Wed Nov 18 02:07:08 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68000A2EAB8 for ; Wed, 18 Nov 2015 02:07:08 +0000 (UTC) (envelope-from ike@michaeleichorn.com) Received: from mx1.eichornenterprises.com (mx1.eichornenterprises.com [104.236.13.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.eichornenterprises.com", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 03E791996 for ; Wed, 18 Nov 2015 02:07:07 +0000 (UTC) (envelope-from ike@michaeleichorn.com) Received: from mail.eichornenterprises.com (cpe-184-59-147-149.neo.res.rr.com [184.59.147.149]) by mx1.eichornenterprises.com (OpenSMTPD) with ESMTP id a31910e5; Tue, 17 Nov 2015 21:07:03 -0500 (EST) Received: by mail.eichornenterprises.com (OpenSMTPD) with ESMTPSA id f5bbd548 TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO; Tue, 17 Nov 2015 21:07:02 -0500 (EST) Message-ID: <1447812422.23778.17.camel@michaeleichorn.com> Subject: Re: FreeBSD forum certificates wrong somehow. From: "Michael B. Eichorn" To: Royce Williams , Zaphod Beeblebrox Cc: FreeBSD Hackers Date: Tue, 17 Nov 2015 21:07:02 -0500 In-Reply-To: References: Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-FsQD6iTox6JeT6r9RAou" X-Mailer: Evolution 3.18.1 Mime-Version: 1.0 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 02:07:08 -0000 --=-FsQD6iTox6JeT6r9RAou Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2015-11-17 at 16:28 -0900, Royce Williams wrote: > On Tue, Nov 17, 2015 at 4:05 PM, Zaphod Beeblebrox > wrote: > > I realize that I have no idea who is in the wrong --- the error is > > rather > > opaque, but please follow: > >=20 > > One of google or https everywhere (or both) directs my google > > searches to > > https when forums.freebsd.org comes up.=C2=A0=C2=A0For some reason, I c= an't > > seem to > > add an exception, but https is generally good... The forum does not serve http, there is a 301 redirect to https. > >=20 > > ... but firefox doesn't want to talk to https://forums.freebsd.org. > > =C2=A0=C2=A0So > > much so, in fact, it doesn't even provide the usual "add exception > > for > > https self-signed" ... it's just a dialog to report this nasty > > violation. > >=20 > > ... now I realize that chrome seems to read the site just > > fine...but I > > maintain that I'd rather not use chrome ... and really someone > > needs to > > look at the problem... > >=20 > > ... and since I don't know how to effectively complain to mozilla, > > I'm > > starting by posting here. >=20 > Firefox on what platform?=C2=A0=C2=A0I'm unable to replicate here, on Win= dows 7 > or Linux (all I can reach at the moment). More importantly which version. TLSv1.1 and 1.2 were disabled by default until version 27 (Released 20140204)[1]. And a noted below the forum requires at least 1.1 >=20 > Qualys SSL Labs comes up clean for both IPv4 and IPv6: >=20 > https://www.ssllabs.com/ssltest/analyze.html?d=3Dforums.freebsd.org&s=3D1 > 49.20.54.209&latest >=20 > https://www.ssllabs.com/ssltest/analyze.html?d=3Dforums.freebsd.org&s=3D2 > 001%3A4f8%3A3%3A36%3A0%3A0%3A0%3A209 >=20 > Only unusual (not bad) thing that stands out from the results is that > TLS 1.0 is not supported, which most sites haven't had the guts to do > yet that I have seen. >=20 > Do the forums have any load-balancing or DNS anycast stuff going on, > or is forums.freebsd.org always 149.20.54.209 regardless of network > standpoint? >=20 > Firefox usually supplies an error code (of the form > "err_ssl_version_or_cipher_mismatch" or similar).=C2=A0=C2=A0Anything lik= e that > showing up on your end? >=20 > Royce [1]=C2=A0http://website-archive.mozilla.org/www.mozilla.org/firefox_release= n otes/en-US/firefox/27.0/releasenotes/ --=-FsQD6iTox6JeT6r9RAou Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCEqAw ggYwMIIFGKADAgECAgMOXcYwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu dCBDQTAeFw0xNTA2MTMyMDI0NDZaFw0xNjA2MTQwMDM1NTBaMEgxHzAdBgNVBAMMFmlrZUBtaWNo YWVsZWljaG9ybi5jb20xJTAjBgkqhkiG9w0BCQEWFmlrZUBtaWNoYWVsZWljaG9ybi5jb20wggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJVdWALPz5h2s5zUQGIJYl6Vp8FPtZNko8q/3s crCsxXJLprMaDdpnqTsmkbmEfKvsqPQE6HVOpGxVRTl/tCm+VvouW9eY9ITMigb1OnHdU13CKO0j drgeU1nHst0qxwsIofRD7nC4dakT6exnrVndlBmLrf/bLPh2qOM8YK5qKK6m33fE7AyYrwiYAWFT 3fERI7LakjaabrIoS/Y1rCdL5FaCTMOlRbZyduc8HkrgjT2JW+i4fVcKyGL5gExBJWfS3q1uGFaB ie6pYtl8lZPtvN0JSfibP003RBoLgzqHJKW91RL0qNeDjKZi/5nrlU398l9UoVvLLO3KxoPBXKCx AgMBAAGjggLcMIIC2DAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcD AgYIKwYBBQUHAwQwHQYDVR0OBBYEFJZqarc6CcrOs6eAwOgrMznk5ZWWMB8GA1UdIwQYMBaAFFNy 7ZKc4NrLAVx8fpY1TvLUuFGCMCEGA1UdEQQaMBiBFmlrZUBtaWNoYWVsZWljaG9ybi5jb20wggFM BgNVHSAEggFDMIIBPzCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBh Y2NvcmRpbmcgdG8gdGhlIENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0 YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2Ug aW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNgYDVR0fBC8w LTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0dTEtY3JsLmNybDCBjgYIKwYBBQUH AQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczEv Y2xpZW50L2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIu Y2xhc3MxLmNsaWVudC5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20v MA0GCSqGSIb3DQEBCwUAA4IBAQB4K8iQw+0FRn3xEnB3vIIu2Vi4C3ZGnOMWP90FFXLrZ6uAu9AK xVCjXUVP6nAEsOopTMu769vVecdBvg0KO2i5aTDTdTLX4g9d020g4OLWW1NiynAkX8oKqJLqZ53q vHK4zP4KWPS3bSqDWVCosTMfI+H6tkg+6G3gS0HHoHTLKZhIT3z6PQZAfeofM7ed6NOdAcj0J2lP ODHzzz7Y9x4wMwYJdidorzUDVYkNIkim8ak7hK9F60NadA5w/BirFATSlzRyV0h1tl6oNisEaQcq tGvy6UoCTDhzaJ7pQValfDXJ/A47P0hNj/CX/PmkY1wQHsEJz2pbh5lqteP/fO0rMIIGMDCCBRig AwIBAgIDDl3GMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcN MTUwNjEzMjAyNDQ2WhcNMTYwNjE0MDAzNTUwWjBIMR8wHQYDVQQDDBZpa2VAbWljaGFlbGVpY2hv cm4uY29tMSUwIwYJKoZIhvcNAQkBFhZpa2VAbWljaGFlbGVpY2hvcm4uY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyVXVgCz8+YdrOc1EBiCWJelafBT7WTZKPKv97HKwrMVyS6az Gg3aZ6k7JpG5hHyr7Kj0BOh1TqRsVUU5f7Qpvlb6LlvXmPSEzIoG9Tpx3VNdwijtI3a4HlNZx7Ld KscLCKH0Q+5wuHWpE+nsZ61Z3ZQZi63/2yz4dqjjPGCuaiiupt93xOwMmK8ImAFhU93xESOy2pI2 mm6yKEv2NawnS+RWgkzDpUW2cnbnPB5K4I09iVvouH1XCshi+YBMQSVn0t6tbhhWgYnuqWLZfJWT 7bzdCUn4mz9NN0QaC4M6hySlvdUS9KjXg4ymYv+Z65VN/fJfVKFbyyztysaDwVygsQIDAQABo4IC 3DCCAtgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMEMB0GA1UdDgQWBBSWamq3OgnKzrOngMDoKzM55OWVljAfBgNVHSMEGDAWgBRTcu2SnODaywFc fH6WNU7y1LhRgjAhBgNVHREEGjAYgRZpa2VAbWljaGFlbGVpY2hvcm4uY29tMIIBTAYDVR0gBIIB QzCCAT8wggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRz c2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRpZmljYXRp b24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQgYWNjb3JkaW5n IHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBD QSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBs aWFuY2Ugb2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDYGA1UdHwQvMC0wK6ApoCeG JWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUxLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8w OQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MxL2NsaWVudC9j YTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMS5j bGllbnQuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG 9w0BAQsFAAOCAQEAeCvIkMPtBUZ98RJwd7yCLtlYuAt2RpzjFj/dBRVy62ergLvQCsVQo11FT+pw BLDqKUzLu+vb1XnHQb4NCjtouWkw03Uy1+IPXdNtIODi1ltTYspwJF/KCqiS6med6rxyuMz+Clj0 t20qg1lQqLEzHyPh+rZIPuht4EtBx6B0yymYSE98+j0GQH3qHzO3nejTnQHI9CdpTzgx888+2Pce MDMGCXYnaK81A1WJDSJIpvGpO4SvRetDWnQOcPwYqxQE0pc0cldIdbZeqDYrBGkHKrRr8ulKAkw4 c2ie6UFWpXw1yfwOOz9ITY/wl/z5pGNcEB7BCc9qW4eZarXj/3ztKzCCBjQwggQcoAMCAQICAR4w DQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDE1NVoXDTE3MTAyNDIxMDE1 NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1 cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAx IFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAMcJg8zOLdgasSmkLhOrlr6KMoOMpohBllVHrdRvEg/q6r8jR+EK75xCGhR8ToREoqe7 zM9/UnC6TS2y9UKTpT1v7RSMzR0t6ndl0TWBuUr/UXBhPk+Kmy7bI4yW4urC+y7P3/1/X7U8ocb8 VpH/Clt+4iq7nirMcNh6qJR+xjOhV+VHzQMALuGYn5KZmc1NbJQYclsGkDxDz2UbFqE2+6vIZoL+ jb9x4Pa5gNf1TwSDkOkikZB1xtB4ZqtXThaABSONdfmv/Z1pua3FYxnCFmdr/+N2JLKutIxMYqQO Jebr/f/h5t95m4JgrM3Y/w7YX9d7YAL9jvN4SydHsU6n65cCAwEAAaOCAa0wggGpMA8GA1UdEwEB /wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRTcu2SnODaywFcfH6WNU7y1LhRgjAf BgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3dy5z dGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cuc3RhcnRz c2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3Js MIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3Rh cnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29t L2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBAAqDCH14qywGXLhjjF6uHLkjd02h cdh9hrw+VUsv+q1eeQWB21jWj3kJ96AUlPCoEGZ/ynJNScWy6QMVQjbbMXltUfO4n4bGGdKo3awP Wp61tjAFgraLJgDk+DsSvUD6EowjMTNx25GQgyYJ5RPIzKKR9tQW8gGK+2+RHxkUCTbYFnL6kl8C h507rUdPPipJ9CgJFws3kDS3gOS5WFMxcjO5DwKfKSETEPrHh7p5shuuNktvsv6hxHTLhiMKX893 gxdT3XLS9OKmCv87vkINQcNEcIIoFWbP9HORz9v3vQwR4e3ksLc2JZOAFK+ssS5XMEoznzpihEP0 PLc4dCBYjbvSD7kxgDwZ+Aj8Q9PkbvE9sIPP7ON0fz095HdThKjiVJe6vofq+n6b1NBc8XdrQvBm unwxD5nvtTW4vtN6VY7mUCmxsCieuoBJ9OlqmsVWQvifIYf40dJPZkk9YgGTzWLpXDSfLSplbY2L L9C9U0ptvjcDjefLTvqSFc7tw1sEhF0n/qpA2r0GpvkLRDmcSwVyPvmjFBGqUp/pNy8ZuPGQmHwF i2/14+xeSUDG2bwnsYJQG2EdJCB6luQ57GEnTA/yKZSTKI8dDQa8Sd3zfXb19mOgSF0bBdXbuKhE puP9wirslFe6fQ1t5j5R0xi72MZ8ikMu1RQZKCyDbMwazlHiMYIDfzCCA3sCAQEwgZQwgYwxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRh bCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkg SW50ZXJtZWRpYXRlIENsaWVudCBDQQIDDl3GMA0GCWCGSAFlAwQCAQUAoIIBuzAYBgkqhkiG9w0B CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTExMTgwMjA3MDJaMC8GCSqGSIb3DQEJ BDEiBCDAG0mKLXSs7Dhte8/W4pSBesuJYneKB9sCJUjsm2AYKjCBpQYJKwYBBAGCNxAEMYGXMIGU MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJl IERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQ cmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAw5dxjCBpwYLKoZIhvcNAQkQAgsxgZeggZQw gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFBy aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDDl3GMA0GCSqGSIb3DQEBAQUABIIBABsZg3Vj RI24qaVAZrpBJp/HK8zuCmVtP4dK3mLDpxQ673s7KsCJVpBAVeHIG6FNgx7+B+j9o2Y8bdfOCLSx qp4oL6h7cRl6uoMIuAlHk1qwVEn2V1mxfBBvGjjQOXN9xttmw/mNiG7efwsI2uCdSMJyjb/S+4ze rFfb0teqwsE5Q5QGwWA/r+lw2Uz/lYgALdx4qyaEh+hKjSwE1NQBAh95zR2UwRhpcIlRaGoPzQnS uxsGbzvkNE2ndJjFeOwgKKaLnuvf4I0AGJdAj6KxJ5UD6lwYkq/Uy5IUfdC0gRGf+hWy7oIp8U6o dvXrJEcduJNZWy+uHwXU3JNEBzAaBL4AAAAAAAA= --=-FsQD6iTox6JeT6r9RAou--