I all. I have been a Gentoo user and bugzilla "client" for some time. I would like to know if the infrastructure team would be interested in a donation for a certificate, since they can now be had pretty cheap, and having it installed to allow proper HTTPS access to bugzilla. Best regards Reproducible: Always
Why do you think SSL is not working properly? I'm using it right now for all my Bugzilla traffic.
Because using a self signed certificate is practically the same thing as not using one at all, you're susceptible to man in the middle attacks.
It's not self-signed. We're a member of CACert's Organization Assurance program. Any of the major CAs are subject to the same problems. Distributed certificate validation is required (such as the Perspectives SSL validation program). Longer term, we intend to offer DNSSEC and SSL fingerprints via DNSSEC (which mitigates the need to trust any single CA).
My bad, I thought the big red screen was due to that. Can anything be done so that browsers just accept the certificate as trustworthy? I understand the problems of self signed certificates but did not understand what actually is going on here. The browser says the certificate authority is not trusted. From their webpage, they seem to be a community effort, so I need to get their certificate and install it manually, right?
Yes, you need to install their CA root certificate yourself. http://www.cacert.org/index.php?id=3 Install the Perspectives plugin in your browser as well, it will cut down the number of red warnings. I suppose it would help if we documented why we use CACert somewhere on the main www.g.o page.
It works quite nicely in Firefox but in Chrome it's not so great. Either way, kind of works. Documentation would certainly be useful! My offer still maintains, if you think it would be good to have a paid certificate, I could help with that. Either way, second thing, off-topic, I would like to ask. I think this interface needs to be revamped and I'd like to volunteer. Is there any place where I can sign up for that?
We hope to be deploying Bugzilla4 in the next few months. We have ported out patches to Bugzilla3 already, and since Bugzilla4 is so close to release, we're going to jump straight to it. From a user perspective, could you try and write a small document saying how you added the CA to your browser? We'd append it with why with use CACert, and we can post that up to the infra documentation: http://www.gentoo.org/proj/en/infrastructure/ Thank you for the offer, but it wouldn't actually improve security, so there isn't a need to spend the money: yours or ours.
Ok, glad to hear. Yes, I can, I'll get back to you soon. Best regards.
Since changing bugs to ssl only, I have been unable to access the site using chrome on my Mac workstation at home. I have tried importing the CACert root certificate, etc and chrome just flat out refuses to let me access the site.
@fuzzyray: What version of Chrome, and what does it do instead? Which CACert root portions do you have installed (you should just need the base, but the intermediate should be tested as well).
The version of Chrome is 12.0.742.112 The error message is "Invalid Server Certificate: You attempted to reach bugs.gentoo.org, but the server presented an invalid certificate." The only button that could be pressed is "Back" I installed the "Class 1 PKI Key" and "Class 3 PKI Key" from http://www.cacert.org/index.php?id=3 into my keychain on the Mac and still ran into the errors. However, something must have gone wrong previously because I just deleted the certificates, re-downloaded them, re-imported them and it is now working.
I cannot access our bugzilla from behind http_proxy when I'm on the road since Cacert was introduced. This proxy does not know Cacert. Please change to a real certificates. I would have added several bug reports myself but I was forced to discuss them on Freenode and ask others to do so...
It's worth pointing out that if you add a manual exception for "bugs.gentoo.org", you also have to add an exception for each attachment you want to view. This is because attachments redirect to "<bugid>.bugs.gentoo.org" whereas everything else uses "bugs.gentoo.org". Installing the CACert certificates addressed the issue, however the situation is far from ideal. I wouldn't have even known about them if I hadn't gotten fed-up and started to do some research in preparation of filing my own bug. Did anything ever come from Bug 363871? If money is an issue, StartSSL does have free certificates, though they expire after 1 year, rather than 2.
(In reply to comment #13) > Did anything ever come from Bug 363871? If money is an issue, StartSSL does > have free certificates, though they expire after 1 year, rather than 2. StartSSL's policies to require a lot of personal information for registration have ruled them out to date: https://www.startssl.com/?app=2
This has been completed now, using a certificate from GlobalSign.