Re: [Savannah-users] Savannah https SSL certificates updated

[Bob Proulx]

Reed Loden wrote:
> Ineiev wrote:
> > It looks like this disabled some of my cron jobs on fencepost.gnu.org;
> > it used to wget https://...savannah.gnu.org/...; now it says
> > ERROR: cannot verify savannah.gnu.org's certificate, issued by
> > `/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2':
> >   Unable to locally verify the issuer's authority.
> >
> > Probably I should file a request to sysadmin, or configure
> > something in ~/.

The FSF sysadmin is the place to get any updates onto fencepost.
I will give them a poke and see about getting this updated.

> https://www.ssllabs.com/ssltest/analyze.html?d=savannah.gnu.org
> 
> Looks like "USERTrust RSA Certification Authority" root CA cert is missing
> from the ca-certificates store of fencepost. Not sure when it was added to
> browser's root store, but might be a good idea to send it along with the
> entire certificate chain for now. Better yet, update fencepost's
> ca-certificates.

It is also possible that the change from SHA1 to SHA256 was also a
source of problem.

> Aside from that, it would be nice if savannah's SSL/TLS config was updated
> to enable better cipher suite choices and newer protocols. See
> https://wiki.mozilla.org/Security/Server_Side_TLS for some examples on how
> to do this.

Yes.  I started working that problem and then Real Life intruded.  It
isn't completely simple because Savannah has evolved into a large
framework all interconnected.  It has lost some modularity.
Everything is connected.  Upgrading one thing causes other things not
to work.  Which makes upgrades at the moment problematic.

I will just note that I haven't lost track of the upgrade project.  I
have simply had to delay while taking care of other more urgent things
first.

Bob