From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/77375
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: SSL certificate issues for git.gnus.org
Date: Fri, 25 Feb 2011 16:54:01 -0600
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @
 Cienfuegos
Message-ID: <87fwrb67zq.fsf@lifelogs.com>
References: <87sk71o198.fsf@lifelogs.com> <87bpdpgsj9.fsf@gate450.dyndns.org>
	<87eiiijnqz.fsf@lifelogs.com> <b4mbpdl6wfg.fsf@jpl.org>
	<87k4s83k25.fsf@lifelogs.com> <m2pr20hckq.fsf@igel.home>
	<877ho8l427.fsf@gate450.dyndns.org>
	<878w8mij14.fsf@gate450.dyndns.org> <m2hbna9xtx.fsf@igel.home>
	<87bpdhsshj.fsf@lifelogs.com> <87y6glrcpd.fsf@lifelogs.com>
	<87pr1xrb7g.fsf@lifelogs.com>
	<m3633p8xv9.fsf@passepartout.tim-landscheidt.de>
	<87fx2tq8nx.fsf@lifelogs.com>
	<m3k4ryfq9w.fsf@passepartout.tim-landscheidt.de>
	<87r5m6gvgb.fsf_-_@lifelogs.com> <87sjvb7p4z.fsf@lifelogs.com>
	<8762s7n3gq.fsf@topper.koldfront.dk>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: dough.gmane.org 1298674482 12979 80.91.229.12 (25 Feb 2011 22:54:42 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Fri, 25 Feb 2011 22:54:42 +0000 (UTC)
To: ding@gnus.org
Original-X-From: ding-owner+M25699@lists.math.uh.edu Fri Feb 25 23:54:34 2011
Return-path: <ding-owner+M25699@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M25699@lists.math.uh.edu>)
	id 1Pt6YT-0006QH-MB
	for ding-account@gmane.org; Fri, 25 Feb 2011 23:54:34 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M25699@lists.math.uh.edu>)
	id 1Pt6YM-0005fR-3S; Fri, 25 Feb 2011 16:54:26 -0600
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <ding-account@m.gmane.org>)
	id 1Pt6YK-0005f1-38
	for ding@lists.math.uh.edu; Fri, 25 Feb 2011 16:54:24 -0600
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtp (Exim 4.72)
	(envelope-from <ding-account@m.gmane.org>)
	id 1Pt6YG-0007y2-6A
	for ding@lists.math.uh.edu; Fri, 25 Feb 2011 16:54:24 -0600
Original-Received: from lo.gmane.org ([80.91.229.12])
	by quimby.gnus.org with esmtp (Exim 4.72)
	(envelope-from <ding-account@m.gmane.org>)
	id 1Pt6YF-0000I4-FV
	for ding@gnus.org; Fri, 25 Feb 2011 23:54:19 +0100
Original-Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <ding-account@m.gmane.org>)
	id 1Pt6YB-0006KJ-3L
	for ding@gnus.org; Fri, 25 Feb 2011 23:54:15 +0100
Original-Received: from 38.98.147.130 ([38.98.147.130])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Fri, 25 Feb 2011 23:54:15 +0100
Original-Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <ding@gnus.org>; Fri, 25 Feb 2011 23:54:15 +0100
X-Injected-Via-Gmane: http://gmane.org/
Original-Lines: 40
Original-X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: 38.98.147.130
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux)
Cancel-Lock: sha1:AyFThoIUI5BNMU7w/eVXiTQA56U=
X-Spam-Score: -0.7 (/)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:77375
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/77375>

On Fri, 25 Feb 2011 23:39:49 +0100 asjo@koldfront.dk (Adam Sjøgren) wrote: 

AS> On Fri, 25 Feb 2011 15:58:20 -0600, Ted wrote:
>> It's been a while.  Can we get a valid SSL cert for git.gnus.org?

AS> How are self-signed certificates not valid? Or are you referring to the
AS> certificate expiring on 10/05/2010?

I mean they are considered invalid when you do a `git checkout' with a
standard system.  I should have been more precise, sorry.  It looks like
this:

"% git clone https://git.gnus.org/gnus.git
Initialized empty Git repository in /tmp/gnus/.git/
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.gnus.org/gnus.git/info/refs

fatal: HTTP request failed"

which looks bad.  This is on Ubuntu 10.10.

>> I'd pay for it to save everyone the hassle of insecure SSL but am not
>> the owner of the domain.

AS> How is SSL using a self-signed certificate insecure?

Users have to either import the certificate initially or disable
http.sslVerify.  Neither is as secure as a valid certificate chain with
a CA bundle that's already installed, although the former is better of
course.

>> It can even come from http://www.cacert.org/ -- it's not hard to add
>> their CA bundle.  Or StartSSL, which is free and works in all major
>> browsers and `curl' because their CA bundle is already well-accepted.

AS> Do either of those support making certificates with subjectAltNames in
AS> them?

I don't know, sorry.  StartSSL is extremely basic so probably no with them.

Ted