From unknown Fri Mar 29 09:54:32 2024 Received: (at submit) by bugs.devuan.org; 3 Apr 2017 20:00:02 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from mail.dyne.org [178.62.188.7] by fulcanelli with IMAP (fetchmail-6.3.26) for (single-drop); Mon, 03 Apr 2017 22:00:02 +0200 (CEST) Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by tupac2.dyne.org (Postfix) with ESMTPS id 776B018BF8E for ; Mon, 3 Apr 2017 19:53:06 +0000 (UTC) Received: from [192.168.17.4] (helo=ikki.ket) by tschil.ethgen.ch with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.88) (envelope-from ) id 1cv82D-0004E2-4w for submit@bugs.devuan.org; Mon, 03 Apr 2017 21:53:05 +0200 Received: from klaus by ikki.ket with local (Exim 4.89) (envelope-from ) id 1cv82C-0000VM-Cv for submit@bugs.devuan.org; Mon, 03 Apr 2017 21:53:04 +0200 Date: Mon, 3 Apr 2017 20:53:04 +0100 From: Klaus Ethgen To: submit@bugs.devuan.org Subject: Website not working when using TLSA Message-ID: <20170403195304.e2srg6biwapruaqe@ikki.ethgen.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; x-action=pgp-signed OpenPGP: id=79D0B06F4E20AF1C; url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt User-Agent: NeoMutt/20170306 (1.8.0) X-Spam-Status: No, score=-2.3 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_MED,SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tupac2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package: devuan-www Severity: important Since several months, the web page (www.devuan.org) is not viewable for those who care about security and trust only the certificate that the owner has access to instead of every untrusted CA. The way to do that is DNSSEC with TLSA and thankfully, devuan does support that. Unfortunately, since several months, (I believe, when devuan switched to that horrable Let's encrypt) the page doesn't match the TLSA record anymore. That leads to a unviewable page if one cares about security. So the TLSA record should be updated to match the SSL certificate of the page (or the right SSL certificate should be used). There are few solutions for this if it is really the switch to Let's encrypt that is the cause: - - Every time you replace the SSL certificate, update the TLSA record too. That is very painful as Let's encrypt drives security adabsurdum by replacing the certificate with every single new load. (Keep in mind, not everyone is checking the side every hour.) That is the most stupid (sorry) way. - - Get a certificate from a more stable source that is not replacing the certificates that often. You still need to change the TLSA record every time you replace the certificate. That is, in my opinion, the most reliable way. - - If you don't care about the fucked up CA stuff, just generate a self signed certificate and put the right stuff into TLSA record. This is the most honest way to go but realistically, as browser vendors seems to passively boycott DNSSEC, this is no way to go for a site like devuan. - - The last way would be to use the CA fingerprint instead of the one of the actual certificate. Or use the fingerprint of the key if you don't change it with every certificate renewal. This is making good face on a bad matter but it is working too. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Comment: Charset: ISO-8859-1 iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAljiqBkACgkQpnwKsYAZ 9qxL3QwAnLn7R6wiJzo0NCIrYg4gsr3rEfFHczVn+LA6aduIUYMOsqlhe8pCLqkF ytVR9TZhuvVskK9diRYHQnuOBSc4+dKzdTbt5IYV2y2NQhJQbe0kSNx2lkwIF6Nt zycNTlTntuSjtF5UVflsQFTDoNqbQB86l/Dp3K96kiOwVVE7luhPhqX8oCM7C1n6 YQbXeGexrhVx/Y1nSR6MALWthZvumlJJFcC3MARJkgIwZ03r64xsgYYjDHEgKZs/ 9fxWir+JR+gTDHV5Y8lQRtEdShA37Sv/H5WNxhGjKB2jzuuhaKhNn9DeZEp3v7DY GeAXi8NC2fi0qwbKSUHq0xy2U8JgrEicPpTwSvRnjGzyfknmC6Sfz6LvtDTftbGx EYZzacTmch/vqIwv+qwaED9VHWLKP0w8IAHjcSLyDE8S4TGytv7qeAiHs3MbThkx 4WJBrbxBzFMUgSV8LurYlACw74S0XWQpXC/altjlLLNEWnb5+Nf4SJRsDIgtAkqY Y8+uLt68 =4Rvp -----END PGP SIGNATURE----- From unknown Fri Mar 29 09:54:32 2024 Received: (at control) by bugs.devuan.org; 4 Apr 2017 12:16:13 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from mail.dyne.org [178.62.188.7] by fulcanelli with IMAP (fetchmail-6.3.26) for (single-drop); Tue, 04 Apr 2017 14:16:13 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: devuanbugs@dyne.org) with ESMTPSA id 6F17318C936 From: owner@bugs.devuan.org To: control@bugs.devuan.org Subject: bug number #53 -- change severity to grave X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS,MISSING_DATE,MISSING_MID autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tupac2 severity 53 grave quit quit From unknown Fri Mar 29 09:54:32 2024 Received: (at 53-close) by bugs.devuan.org; 18 Jan 2020 00:40:05 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Sat, 18 Jan 2020 00:40:05 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id D1E00F60C88 for <53-close@bugs.devuan.org>; Sat, 18 Jan 2020 01:30:10 +0100 (CET) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="WwTSz0mK"; dkim-atps=neutral Received: by mail-pf1-f173.google.com with SMTP id n9so12668303pff.13 for <53-close@bugs.devuan.org>; Fri, 17 Jan 2020 16:30:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:autocrypt:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=nVfPvfOHvAnoedEtmmWRMEmRJoPUudFwxc21YhJurm4=; b=WwTSz0mK0sNaPSInGnVT3i2uR704G67Al6pPyM1A5TRGHH5DIIGD8Zt9poWbXd3sNU sLOTW5WGAMbf/njHemZZREbId616l3yNWDjHh8JEHidEC3tO261wxbcux/ArsFN4eylG afUBiV+SI6skzLX7HRVYjywISkQ/T/EP8oD1zas2s1inMNgkvz2MxWKW5DtjaGaG4OvB X2xsvet/PSonFRDIIO5LBW/XlJIs/HAfsxHOyr/Hdp0RfGGZkqjJMK4BIrkK+QVieVQQ 2aLcMRGUgrF1z9GYjYQ4ldu0Uu1PIoeCkC5Lu5HddJSgYkPP8lFFVNopiLedSlZRdy4g O7uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:autocrypt:message-id:date :user-agent:mime-version:content-language:content-transfer-encoding; bh=nVfPvfOHvAnoedEtmmWRMEmRJoPUudFwxc21YhJurm4=; b=n4g3LZ0zilF4QqKELGZybkzIp+59hux2+9vU1fTc7i6qrl76PqxEmQklaUQUFAr2ND PrgoTS7aWtQMfn9GSgmHbqUrd/ZZrwn4OolECPMxQytRfgS4kkb/dn5bVHTr4R88s9dr IM70jYOTAv3qjEQ0YocKQmQbRz9zbs+4lzE2wzqy35o1uH4TFHfM7sCmwNU/asmgPOMF tORyRfnF3/wWg7TamKEvbZOWCOBbglopcVy3n3M+9YC5TYPHXd/8E2TNwiSVz2MrGor2 aUsFd1BR+rfvrx7BKp9IKR5iZsGKFcOzo8I3HH6lqbmVcgARMckdXfDg5cbQMzycT2H/ QTWQ== X-Gm-Message-State: APjAAAXH5HtLfNV/1ddtXvi8QfDr1wv87NVYVN9G2hex2Wolp8VvnI45 zZxLa3jqQQN6qACsb2My6c7QBkcJpbk= X-Google-Smtp-Source: APXvYqxZIxLrK6ct/qmFcYGTDSMkXQSy65XNzVOScHEHILgSvwbH6SDBfSUSz3JwWa+PNul+XCTKIw== X-Received: by 2002:a65:620d:: with SMTP id d13mr48909363pgv.252.1579307408251; Fri, 17 Jan 2020 16:30:08 -0800 (PST) Received: from [192.168.103.11] ([202.53.56.203]) by smtp.gmail.com with ESMTPSA id j20sm30128860pfe.168.2020.01.17.16.30.06 for <53-close@bugs.devuan.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Jan 2020 16:30:07 -0800 (PST) To: 53-close@bugs.devuan.org From: "Ralph Ronnquist (rrq)" Subject: fixed Autocrypt: addr=ralph.ronnquist@gmail.com; prefer-encrypt=mutual; keydata= xsBNBFlwf9YBCAC3fOpUF8Vk6kVOsc66Dy+1GdbD5C2nsp3iv4hTkUNdmvJizS6QH6xUvRCi 6ZQYtRRQaC4UvRyVXJlxFL8tOpFuCSl83MAZVBPTwQmZacegCvIliHo+91r5GMUyV9wsdGhF I9/RWzEyw5zS8pSliseKiUUnalZT9ZkatOR0vcMI5hTwuaOACRNI7B24FL/NSz7ZCYE1O9I2 RYsOjcpYdSHwiG0Rc+/2ITx8DA8LS+EZWHUwXC3ut7gThlMu2cCjQWpsvOiutDeDFJqnDqcf DySGzEfOSTOyGRsDzI52CtdJ1jSYLuDGTBc+Am5Ed3gLpgOKSlrWUflzOAuc0NvRvQpPABEB AAHNMVJhbHBoIFJvbm5xdWlzdCAocnJxKSA8cmFscGgucm9ubnF1aXN0QGdtYWlsLmNvbT7C wHgEEwECACIFAllwf9YCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAoW6XPKAuk YWQIAI35aGvj44e4JKGJmF1L7eELD6oe9nvdm3F/TA+ayX8PCrM4l72mHRjmMHYYMAKjkxCu jI1WmTupjRo6maPVCtol1amvnag5V4LQv5yYVTbMqvFsQ/fP3/EIh9uoBUWBzsT0kyllXSVM Gta+KDNIXT5JxAVBa5zpKGR+RXHMM3E4IcssOnH5KCDDFJdEqkNlNXGLg0Da71Ym504XM37O lO0WA5rdRB6iR5GO4hoNI0u0uzcLhV0eMu6V2OVUKOxsKczgfi5oaUNFcbbSwJayapJ0aJkB e4biYAKAGceQhhWdSzzBGEJxfyodN8ZipkIbJg/BdygBWO4X7Gh09dTWFAPOwE0EWXB/1gEI AN1qxVMHvI59BiOeCJnwPipr6a4znU9GpgyvnHr5blY7firuGm8ybUfzGuMtQxWRXhcJDkoN t5wPWwBebsALWIs89VsxzmPvRba7xOfkmAQG2iIUzunSlAhs8bGnbm+7AlhGs0j2H8Vnz0if URn28VXeyTSHfOyDURMmpoU6xn3BiZQKt6QQ0sX9Q7EhBdzscb2hurujemzaEhqWs6V4Oqrr tGnjd4079subCik/L7z8CJKhqnWKxsIrGg9ZwtMeAgVSzin+wFrMic7yfxcpIG2C92vEzw4S PS6G2vpfs3a5O1TqrCnIcw/YBzhYvuIumwp5O4mucNPxodgE+Scvrv8AEQEAAcLAXwQYAQIA CQUCWXB/1gIbDAAKCRBwKFulzygLpBBMCACyCBZI0fc+LaIwIIjdv/XIhu9/7siyuMuoKimd aWgQ52CXcfw5GZFiR9z0EE/1tM9Y0RwhHF8mu5Imn4XPN6AXOiB9ENm6fm0m0vVB0/0eHLts kGRuhyWHXbohTkRemxy9NBF3EH/UwqJVVxpBJyKxy+qMS0AXSlDMZgWjQ9AsaiZcgaoV8AW4 zECYkd6dSNQbYi69jsX5EDzV8qKZzOh/NZXmm0VKCgZb3JFBrsdtGoLPtZaV904+9T+T4jib H0AdeUoDRu2QyxUmS+iD2xcQBCxLa+FTzm4HdZ9SfnBXl3i6QvEBQSxY1jzW4zBpPY7Mgmnn WF1G5VIqEDMggu2v Message-ID: Date: Sat, 18 Jan 2020 11:30:04 +1100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.5 required=5.0 tests=BODY_SINGLE_WORD,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org fixed