[Pkg-privacy-maintainers] Bug#845989: Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)
Mikhail Kshevetskiy
mikhail.kshevetskiy at gmail.com
Sun Nov 27 18:14:49 UTC 2016
Hello,
look like the problem is caused by missing "DigiCert SHA2
High Assurance Server CA" certificate on my debian testing system.
(I check the same on other computer with debian stable and it was OK).
Look below and pay attention to messages:
1) unable to get local issuer certificate
2) Verify return code: 20 (unable to get local issuer certificate)
This results in failing of python OpenSSL library and finished by "You may be
under attack" message during initial installation of torbrowser.
--------------------------------------------
kl at flywind:~$ openssl s_client -connect dist.torproject.org:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=Massachusetts/L=Cambridge/O=The Tor Project, Inc./
CN=*.torproject.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/
CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/
CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/
CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQDGnVmapHXfa3m9oYQq3WQTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA0MTUwMDAwMDBaFw0xOTA1MjkxMjAwMDBa
MHQxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQH
EwlDYW1icmlkZ2UxHjAcBgNVBAoTFVRoZSBUb3IgUHJvamVjdCwgSW5jLjEZMBcG
A1UEAwwQKi50b3Jwcm9qZWN0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALcjOe3IaIUn5YEOnAAM+uIlKm0HyHUaR6rwU0m5YhdSV8DRGUB80Q67
zkIbutTMbEla8KpPSqsK/FShSXhLWB6Hv5UV2jR6/Pzxi8QaLMMAuLT5oHCkR6Jn
LFZrUtPq50RmhYfg15kwosmEzPqLa3NDcK5tpTX5F48DvBT+0aCZQLndKGzVhiJI
pEJdfTc69b1i4xGyhzp4ChUFDtmK9MRZFRvDFl4ZaVBe2haw/+1kemGwh5UuaD+P
DqTJl+xwQdUCrKWBgwnOVLJKqrp2/Yc0mkkTFXqdUD1BS+wgvCDi64f7ndyyTQgb
8IWoWEeF6KHbiFZLVR/puH64cbyRF8cCAwEAAaOCAfkwggH1MB8GA1UdIwQYMBaA
FFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBSCJgjxEylVNBS0j4Adcbhg
2ktBzDArBgNVHREEJDAighAqLnRvcnByb2plY3Qub3Jngg50b3Jwcm9qZWN0Lm9y
ZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEy
LWhhLXNlcnZlci1nNS5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv
bS9zaGEyLWhhLXNlcnZlci1nNS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZn
gQwBAgIwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
ZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2Vy
dC5jb20vRGlnaUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNV
HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCwURSDN25h03L4cN8+FFi6ZbzP
OxIh8GgLKljF2nO/qW8gjKIOUgNizf99lsnn7YaYPCr8W9IZQBp64aWsWwuWZ3w8
bRhklFCmgHhDFeLCqmScYwxYlCmSL2qRe8Dus4t8Axse7LEni6KcOFA3Dtssc3MA
jv30cEvGJru0mcogoMh8O04hmWZfC1EiyBLDDb5mBhijtMN+SbNQSr53mZWTgMXh
luVXp48Z8RTrOdLJ03ArAh2gfpOLUz3eGmynpTFPz+l3V3yRHyoeWFiZUbm0ePnx
1HyeNR3onMNJC/tbYIBNoz/tIEPpFqJ1P3AT8q+uy/OQR4DEoG3f3Syq1pBG
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Cambridge/O=The Tor Project, Inc./
CN=*.torproject.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/
CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3283 bytes and written 302 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 610A3292E75EEFA38CA322D9C34ECA27C18D2E02E8200DD9DA8009BB4E99B654
Session-ID-ctx:
Master-Key:
F285EAAFB2AAE5CA3E495A1C8FE7D216CA9CADD366212077D823940DF9B4831C6E967B0C4989E75FBEE35877ADE5F015
PSK identity: None PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 3f d5 f2 67 6e 36 33 ab-8d 21 f1 68 0a cd 70 73 ?..gn63..!.h..ps
0010 - 5b 59 e8 6d 55 ec 18 71-fa 58 0f 19 3f b6 0f d8 [Y.mU..q.X..?...
0020 - af b1 95 57 8d fb b6 bc-49 09 7a 4b 7e 11 b0 96 ...W....I.zK~...
0030 - 8c f3 6f 7e cd db 2e 40-2c 59 d7 5c 60 85 fa 78 ..o~...@,Y.\`..x
0040 - 93 2b 5c a1 63 e2 3e 28-e8 e1 7a 09 c7 34 ed 09 .+\.c.>(..z..4..
0050 - 4e d0 54 82 ab cd 7e 35-e1 ee 3b 34 40 b1 e8 2e N.T...~5..;4 at ...
0060 - 19 2b 5b 3f b6 ca 36 8f-a1 e7 fe fa ff 99 db ff .+[?..6.........
0070 - 3f 2b bb 59 bc 91 d0 0d-2e a9 3b 86 e8 6e 05 11 ?+.Y......;..n..
0080 - f6 fc 5b c3 af 75 16 1f-f7 00 63 ab c3 97 6f 89 ..[..u....c...o.
0090 - f8 bb be 16 f2 13 d9 5c-4d 62 23 4f c3 3c c1 b0 .......\Mb#O.<..
00a0 - 70 c2 ad cc 54 e9 3e 81-de 8e 4f 4e 56 5d 1d 19 p...T.>...ONV]..
00b0 - 2d 5c 43 4e 10 ed 74 07-ef 70 6a c2 52 40 ef 23 -\CN..t..pj.R at .#
Start Time: 1480269351
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
--------------------------------------------------------------------
On Sun, 27 Nov 2016 12:36:05 -0500
Antoine Beaupré <anarcat at debian.org> wrote:
> On 2016-11-27 11:16:11, Holger Levsen wrote:
> > On Sun, Nov 27, 2016 at 10:39:16AM -0500, Antoine Beaupré wrote:
> >> > … you've been attacked.
> >> I beg to disagree. I doubt that M. Kshevetskiy has been, in this case,
> >> individually targeted for attack.
> >
> > me too. and I never said he had been individually been attacked. I just
> > said he had been attacked.
>
> Good point.
>
> It's just the error message explicitly says "you". :)
>
> >> I am reopening this bug. It has been forwarded upstream, where I have
> >> brought more suggestions on how to improve the user experience here.
> >
> > I'd suggest downgrade to important (at max, probably normal is better)
> > and maybe also to tag it as "unreproducible" (as its not reliable
> > reproducible…) so that the package doesnt get kicked out of testing…
>
> That's fine with me!
>
> A.
>
> --
> I'm no longer accepting the things I cannot change.
> I'm changing the things I cannot accept.
> - Angela Davis
More information about the Pkg-privacy-maintainers
mailing list