Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 502370 - lists.gentoo.org port 25 intermediate tls cert needs update
Summary: lists.gentoo.org port 25 intermediate tls cert needs update
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Mailing Lists (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-25 01:15 UTC by James Cloos
Modified: 2014-04-24 21:32 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
gnutls-cli output showing bad cert (file_502370.txt,1.77 KB, text/plain)
2014-02-25 01:15 UTC, James Cloos
Details

Note You need to log in before you can comment on or make changes to this bug.
Description James Cloos 2014-02-25 01:15:50 UTC
Created attachment 371196 [details]
gnutls-cli output showing bad cert

Lists.gentoo and mail.gentoo use CACert-signed tls end-entity certs.

The intermediate certs on both are cacert’s old md5-signed intermediate.  As such, gnutls — and perhaps other tls libs — refuse to trust it, even when cacert’s root cert is trusted.

Cacert issued a new intermediate in 2011 which is signed with sha256.

Mail.gentoo uses the new intermediate.  Lists.gentoo also needs to.

For lists, this only requires using the new intermediate; the rest of the config is OK.

(tls to mail.gentoo fails because its cert is for dev.gentoo; it would be useful to have cacert issue it its own ee cert.)
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-24 21:32:42 UTC
We no longer have CACert certificates in use.