Devuan bug report logs - #53
Website not working when using TLSA

Package: devuan-www; Maintainer for devuan-www is Devuan Developers <devuan-dev@lists.dyne.org>;

Reported by: Klaus Ethgen <Klaus@Ethgen.ch>

Date: Mon, 3 Apr 2017 20:03:01 UTC

Severity: grave

Done: "Ralph Ronnquist (rrq)" <ralph.ronnquist@gmail.com>

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.devuan.org
Subject: bug#53: Website not working when using TLSA
Reply-To: Klaus Ethgen <Klaus@Ethgen.ch>, 53@bugs.devuan.org
Resent-From: Klaus Ethgen <Klaus@Ethgen.ch>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: golinux <golinux@dyne.org>
Resent-Date: Mon, 03 Apr 2017 20:03:01 UTC
Resent-Message-ID: <handler.53.B.149124960224531@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 53
X-Devuan-PR-Package: devuan-www
X-Devuan-PR-Keywords: 
Received: via spool by submit@bugs.devuan.org id=B.149124960224531
          (code B ref -1); Mon, 03 Apr 2017 20:03:01 UTC
Received: (at submit) by bugs.devuan.org; 3 Apr 2017 20:00:02 +0000
Delivered-To: devuanbugs@dyne.org
Received: from mail.dyne.org [178.62.188.7]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Mon, 03 Apr 2017 22:00:02 +0200 (CEST)
Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by tupac2.dyne.org (Postfix) with ESMTPS id 776B018BF8E
	for <submit@bugs.devuan.org>; Mon,  3 Apr 2017 19:53:06 +0000 (UTC)
Received: from [192.168.17.4] (helo=ikki.ket)
	by tschil.ethgen.ch with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.88)
	(envelope-from <klaus@ethgen.de>)
	id 1cv82D-0004E2-4w
	for submit@bugs.devuan.org; Mon, 03 Apr 2017 21:53:05 +0200
Received: from klaus by ikki.ket with local (Exim 4.89)
	(envelope-from <klaus@ikki.ethgen.ch>)
	id 1cv82C-0000VM-Cv
	for submit@bugs.devuan.org; Mon, 03 Apr 2017 21:53:04 +0200
Date: Mon, 3 Apr 2017 20:53:04 +0100
From: Klaus Ethgen <Klaus@Ethgen.ch>
To: submit@bugs.devuan.org
Message-ID: <20170403195304.e2srg6biwapruaqe@ikki.ethgen.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; x-action=pgp-signed
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt
User-Agent: NeoMutt/20170306 (1.8.0)
X-Spam-Status: No, score=-2.3 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	RCVD_IN_DNSWL_MED,SPF_PASS autolearn=disabled version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tupac2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: devuan-www
Severity: important

Since several months, the web page (www.devuan.org) is not viewable for
those who care about security and trust only the certificate that the
owner has access to instead of every untrusted CA.

The way to do that is DNSSEC with TLSA and thankfully, devuan does
support that.

Unfortunately, since several months, (I believe, when devuan switched to
that horrable Let's encrypt) the page doesn't match the TLSA record
anymore. That leads to a unviewable page if one cares about security.

So the TLSA record should be updated to match the SSL certificate of the
page (or the right SSL certificate should be used).

There are few solutions for this if it is really the switch to Let's
encrypt that is the cause:
- - Every time you replace the SSL certificate, update the TLSA record
  too. That is very painful as Let's encrypt drives security adabsurdum
  by replacing the certificate with every single new load. (Keep in
  mind, not everyone is checking the side every hour.) That is the most
  stupid (sorry) way.
- - Get a certificate from a more stable source that is not replacing the
  certificates that often. You still need to change the TLSA record
  every time you replace the certificate. That is, in my opinion, the
  most reliable way.
- - If you don't care about the fucked up CA stuff, just generate a self
  signed certificate and put the right stuff into TLSA record. This is
  the most honest way to go but realistically, as browser vendors seems
  to passively boycott DNSSEC, this is no way to go for a site like
  devuan.
- - The last way would be to use the CA fingerprint instead of the one of
  the actual certificate. Or use the fingerprint of the key if you don't
  change it with every certificate renewal. This is making good face on
  a bad matter but it is working too.

Regards
   Klaus
- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAljiqBkACgkQpnwKsYAZ
9qxL3QwAnLn7R6wiJzo0NCIrYg4gsr3rEfFHczVn+LA6aduIUYMOsqlhe8pCLqkF
ytVR9TZhuvVskK9diRYHQnuOBSc4+dKzdTbt5IYV2y2NQhJQbe0kSNx2lkwIF6Nt
zycNTlTntuSjtF5UVflsQFTDoNqbQB86l/Dp3K96kiOwVVE7luhPhqX8oCM7C1n6
YQbXeGexrhVx/Y1nSR6MALWthZvumlJJFcC3MARJkgIwZ03r64xsgYYjDHEgKZs/
9fxWir+JR+gTDHV5Y8lQRtEdShA37Sv/H5WNxhGjKB2jzuuhaKhNn9DeZEp3v7DY
GeAXi8NC2fi0qwbKSUHq0xy2U8JgrEicPpTwSvRnjGzyfknmC6Sfz6LvtDTftbGx
EYZzacTmch/vqIwv+qwaED9VHWLKP0w8IAHjcSLyDE8S4TGytv7qeAiHs3MbThkx
4WJBrbxBzFMUgSV8LurYlACw74S0XWQpXC/altjlLLNEWnb5+Nf4SJRsDIgtAkqY
Y8+uLt68
=4Rvp
-----END PGP SIGNATURE-----


Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Mon Oct 25 07:49:34 2021;