Devuan logs - #53, boring messages

X-Loop: [email protected]
Subject: bug#53: Website not working when using TLSA
Reply-To: Klaus Ethgen <[email protected]>, [email protected]
Resent-From: Klaus Ethgen <[email protected]>
Resent-To: [email protected]
Resent-CC: golinux <[email protected]>
Resent-Date: Mon, 03 Apr 2017 20:03:01 UTC
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Devuan-PR-Message: report 53
X-Devuan-PR-Package: devuan-www
X-Devuan-PR-Keywords: 
Received: via spool by [email protected] id=B.149124960224531
          (code B ref -1); Mon, 03 Apr 2017 20:03:01 UTC
Received: (at submit) by bugs.devuan.org; 3 Apr 2017 20:00:02 +0000
Delivered-To: [email protected]
Received: from mail.dyne.org [178.62.188.7]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Mon, 03 Apr 2017 22:00:02 +0200 (CEST)
Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by tupac2.dyne.org (Postfix) with ESMTPS id 776B018BF8E
	for <[email protected]>; Mon,  3 Apr 2017 19:53:06 +0000 (UTC)
Received: from [192.168.17.4] (helo=ikki.ket)
	by tschil.ethgen.ch with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.88)
	(envelope-from <[email protected]>)
	id 1cv82D-0004E2-4w
	for [email protected]; Mon, 03 Apr 2017 21:53:05 +0200
Received: from klaus by ikki.ket with local (Exim 4.89)
	(envelope-from <[email protected]>)
	id 1cv82C-0000VM-Cv
	for [email protected]; Mon, 03 Apr 2017 21:53:04 +0200
Date: Mon, 3 Apr 2017 20:53:04 +0100
From: Klaus Ethgen <[email protected]>
To: [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; x-action=pgp-signed
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt
User-Agent: NeoMutt/20170306 (1.8.0)
X-Spam-Status: No, score=-2.3 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	RCVD_IN_DNSWL_MED,SPF_PASS autolearn=disabled version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tupac2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: devuan-www
Severity: important

Since several months, the web page (www.devuan.org) is not viewable for
those who care about security and trust only the certificate that the
owner has access to instead of every untrusted CA.

The way to do that is DNSSEC with TLSA and thankfully, devuan does
support that.

Unfortunately, since several months, (I believe, when devuan switched to
that horrable Let's encrypt) the page doesn't match the TLSA record
anymore. That leads to a unviewable page if one cares about security.

So the TLSA record should be updated to match the SSL certificate of the
page (or the right SSL certificate should be used).

There are few solutions for this if it is really the switch to Let's
encrypt that is the cause:
- - Every time you replace the SSL certificate, update the TLSA record
  too. That is very painful as Let's encrypt drives security adabsurdum
  by replacing the certificate with every single new load. (Keep in
  mind, not everyone is checking the side every hour.) That is the most
  stupid (sorry) way.
- - Get a certificate from a more stable source that is not replacing the
  certificates that often. You still need to change the TLSA record
  every time you replace the certificate. That is, in my opinion, the
  most reliable way.
- - If you don't care about the fucked up CA stuff, just generate a self
  signed certificate and put the right stuff into TLSA record. This is
  the most honest way to go but realistically, as browser vendors seems
  to passively boycott DNSSEC, this is no way to go for a site like
  devuan.
- - The last way would be to use the CA fingerprint instead of the one of
  the actual certificate. Or use the fingerprint of the key if you don't
  change it with every certificate renewal. This is making good face on
  a bad matter but it is working too.

Regards
   Klaus
- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAljiqBkACgkQpnwKsYAZ
9qxL3QwAnLn7R6wiJzo0NCIrYg4gsr3rEfFHczVn+LA6aduIUYMOsqlhe8pCLqkF
ytVR9TZhuvVskK9diRYHQnuOBSc4+dKzdTbt5IYV2y2NQhJQbe0kSNx2lkwIF6Nt
zycNTlTntuSjtF5UVflsQFTDoNqbQB86l/Dp3K96kiOwVVE7luhPhqX8oCM7C1n6
YQbXeGexrhVx/Y1nSR6MALWthZvumlJJFcC3MARJkgIwZ03r64xsgYYjDHEgKZs/
9fxWir+JR+gTDHV5Y8lQRtEdShA37Sv/H5WNxhGjKB2jzuuhaKhNn9DeZEp3v7DY
GeAXi8NC2fi0qwbKSUHq0xy2U8JgrEicPpTwSvRnjGzyfknmC6Sfz6LvtDTftbGx
EYZzacTmch/vqIwv+qwaED9VHWLKP0w8IAHjcSLyDE8S4TGytv7qeAiHs3MbThkx
4WJBrbxBzFMUgSV8LurYlACw74S0XWQpXC/altjlLLNEWnb5+Nf4SJRsDIgtAkqY
Y8+uLt68
=4Rvp
-----END PGP SIGNATURE-----

X-Loop: [email protected]
From: [email protected] (Devuan bug Tracking System)
To: Klaus Ethgen <[email protected]>
Subject: bug#53: Acknowledgement (Website not working when using TLSA)
Message-ID: <[email protected]>
In-Reply-To: <[email protected]>
References: <[email protected]>
Precedence: bulk
X-Devuan-PR-Message: ack 53
X-Devuan-PR-Package: devuan-www
X-Devuan-PR-Keywords: 
Reply-To: [email protected]

Thank you for the problem report you have sent regarding Devuan.
This is an automatically generated reply, to let you know your message has
been received.  It is being forwarded to the developers mailing list for
their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 golinux <[email protected]>

If you wish to submit further information on your problem, please send
it to [email protected] (and *not* to
[email protected]).

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Your message specified a Severity: in the pseudo-header, but
the severity value important was not recognised.
The default severity normal is being used instead.
The recognised values are: critical, grave, normal, minor, wishlist.

Devuan Bugs Owner
(administrator, Devuan bugs database)

Received: (at control) by bugs.devuan.org; 4 Apr 2017 12:16:13 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.dyne.org [178.62.188.7]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Tue, 04 Apr 2017 14:16:13 +0200 (CEST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: [email protected])
	with ESMTPSA id 6F17318C936
From: [email protected]
To: [email protected]
Subject: bug number #53 -- change severity to grave
X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED,
	HEADER_FROM_DIFFERENT_DOMAINS,MISSING_DATE,MISSING_MID autolearn=disabled
	version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tupac2

severity 53 grave

quit

quit

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: "Ralph Ronnquist (rrq)" <[email protected]>
Subject: bug#53: marked as done (Website not working when using TLSA)
Message-ID: <[email protected]>
References: <[email protected]>
 <[email protected]>
X-Devuan-PR-Message: closed 53
X-Devuan-PR-Package: devuan-www
Reply-To: [email protected]
Date: Sat, 18 Jan 2020 00:48:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1579308482-17414-0"

This is a multi-part message in MIME format...

------------=_1579308482-17414-0
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your message dated Sat, 18 Jan 2020 11:30:04 +1100
with message-id <[email protected]>
and subject line fixed
has caused the Devuan bug report #53,
regarding Website not working when using TLSA
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


--=20
53: bugs.devuan.org/cgi/bugreport.cgi?bug=3D53
Devuan Bug Tracking System
Contact [email protected] with problems

------------=_1579308482-17414-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.devuan.org; 3 Apr 2017 20:00:02 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.dyne.org [178.62.188.7]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Mon, 03 Apr 2017 22:00:02 +0200 (CEST)
Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by tupac2.dyne.org (Postfix) with ESMTPS id 776B018BF8E
	for <[email protected]>; Mon,  3 Apr 2017 19:53:06 +0000 (UTC)
Received: from [192.168.17.4] (helo=ikki.ket)
	by tschil.ethgen.ch with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.88)
	(envelope-from <[email protected]>)
	id 1cv82D-0004E2-4w
	for [email protected]; Mon, 03 Apr 2017 21:53:05 +0200
Received: from klaus by ikki.ket with local (Exim 4.89)
	(envelope-from <[email protected]>)
	id 1cv82C-0000VM-Cv
	for [email protected]; Mon, 03 Apr 2017 21:53:04 +0200
Date: Mon, 3 Apr 2017 20:53:04 +0100
From: Klaus Ethgen <[email protected]>
To: [email protected]
Subject: Website not working when using TLSA
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; x-action=pgp-signed
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt
User-Agent: NeoMutt/20170306 (1.8.0)
X-Spam-Status: No, score=-2.3 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	RCVD_IN_DNSWL_MED,SPF_PASS autolearn=disabled version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tupac2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: devuan-www
Severity: important

Since several months, the web page (www.devuan.org) is not viewable for
those who care about security and trust only the certificate that the
owner has access to instead of every untrusted CA.

The way to do that is DNSSEC with TLSA and thankfully, devuan does
support that.

Unfortunately, since several months, (I believe, when devuan switched to
that horrable Let's encrypt) the page doesn't match the TLSA record
anymore. That leads to a unviewable page if one cares about security.

So the TLSA record should be updated to match the SSL certificate of the
page (or the right SSL certificate should be used).

There are few solutions for this if it is really the switch to Let's
encrypt that is the cause:
- - Every time you replace the SSL certificate, update the TLSA record
  too. That is very painful as Let's encrypt drives security adabsurdum
  by replacing the certificate with every single new load. (Keep in
  mind, not everyone is checking the side every hour.) That is the most
  stupid (sorry) way.
- - Get a certificate from a more stable source that is not replacing the
  certificates that often. You still need to change the TLSA record
  every time you replace the certificate. That is, in my opinion, the
  most reliable way.
- - If you don't care about the fucked up CA stuff, just generate a self
  signed certificate and put the right stuff into TLSA record. This is
  the most honest way to go but realistically, as browser vendors seems
  to passively boycott DNSSEC, this is no way to go for a site like
  devuan.
- - The last way would be to use the CA fingerprint instead of the one of
  the actual certificate. Or use the fingerprint of the key if you don't
  change it with every certificate renewal. This is making good face on
  a bad matter but it is working too.

Regards
   Klaus
- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAljiqBkACgkQpnwKsYAZ
9qxL3QwAnLn7R6wiJzo0NCIrYg4gsr3rEfFHczVn+LA6aduIUYMOsqlhe8pCLqkF
ytVR9TZhuvVskK9diRYHQnuOBSc4+dKzdTbt5IYV2y2NQhJQbe0kSNx2lkwIF6Nt
zycNTlTntuSjtF5UVflsQFTDoNqbQB86l/Dp3K96kiOwVVE7luhPhqX8oCM7C1n6
YQbXeGexrhVx/Y1nSR6MALWthZvumlJJFcC3MARJkgIwZ03r64xsgYYjDHEgKZs/
9fxWir+JR+gTDHV5Y8lQRtEdShA37Sv/H5WNxhGjKB2jzuuhaKhNn9DeZEp3v7DY
GeAXi8NC2fi0qwbKSUHq0xy2U8JgrEicPpTwSvRnjGzyfknmC6Sfz6LvtDTftbGx
EYZzacTmch/vqIwv+qwaED9VHWLKP0w8IAHjcSLyDE8S4TGytv7qeAiHs3MbThkx
4WJBrbxBzFMUgSV8LurYlACw74S0XWQpXC/altjlLLNEWnb5+Nf4SJRsDIgtAkqY
Y8+uLt68
=4Rvp
-----END PGP SIGNATURE-----

------------=_1579308482-17414-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 53-close) by bugs.devuan.org; 18 Jan 2020 00:40:05 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Sat, 18 Jan 2020 00:40:05 +0000 (UTC)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id D1E00F60C88
	for <[email protected]>; Sat, 18 Jan 2020 01:30:10 +0100 (CET)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com [email protected] header.b="WwTSz0mK";
	dkim-atps=neutral
Received: by mail-pf1-f173.google.com with SMTP id n9so12668303pff.13
        for <[email protected]>; Fri, 17 Jan 2020 16:30:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=to:from:subject:autocrypt:message-id:date:user-agent:mime-version
         :content-language:content-transfer-encoding;
        bh=nVfPvfOHvAnoedEtmmWRMEmRJoPUudFwxc21YhJurm4=;
        b=WwTSz0mK0sNaPSInGnVT3i2uR704G67Al6pPyM1A5TRGHH5DIIGD8Zt9poWbXd3sNU
         sLOTW5WGAMbf/njHemZZREbId616l3yNWDjHh8JEHidEC3tO261wxbcux/ArsFN4eylG
         afUBiV+SI6skzLX7HRVYjywISkQ/T/EP8oD1zas2s1inMNgkvz2MxWKW5DtjaGaG4OvB
         X2xsvet/PSonFRDIIO5LBW/XlJIs/HAfsxHOyr/Hdp0RfGGZkqjJMK4BIrkK+QVieVQQ
         2aLcMRGUgrF1z9GYjYQ4ldu0Uu1PIoeCkC5Lu5HddJSgYkPP8lFFVNopiLedSlZRdy4g
         O7uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:from:subject:autocrypt:message-id:date
         :user-agent:mime-version:content-language:content-transfer-encoding;
        bh=nVfPvfOHvAnoedEtmmWRMEmRJoPUudFwxc21YhJurm4=;
        b=n4g3LZ0zilF4QqKELGZybkzIp+59hux2+9vU1fTc7i6qrl76PqxEmQklaUQUFAr2ND
         PrgoTS7aWtQMfn9GSgmHbqUrd/ZZrwn4OolECPMxQytRfgS4kkb/dn5bVHTr4R88s9dr
         IM70jYOTAv3qjEQ0YocKQmQbRz9zbs+4lzE2wzqy35o1uH4TFHfM7sCmwNU/asmgPOMF
         tORyRfnF3/wWg7TamKEvbZOWCOBbglopcVy3n3M+9YC5TYPHXd/8E2TNwiSVz2MrGor2
         aUsFd1BR+rfvrx7BKp9IKR5iZsGKFcOzo8I3HH6lqbmVcgARMckdXfDg5cbQMzycT2H/
         QTWQ==
X-Gm-Message-State: APjAAAXH5HtLfNV/1ddtXvi8QfDr1wv87NVYVN9G2hex2Wolp8VvnI45
	zZxLa3jqQQN6qACsb2My6c7QBkcJpbk=
X-Google-Smtp-Source: APXvYqxZIxLrK6ct/qmFcYGTDSMkXQSy65XNzVOScHEHILgSvwbH6SDBfSUSz3JwWa+PNul+XCTKIw==
X-Received: by 2002:a65:620d:: with SMTP id d13mr48909363pgv.252.1579307408251;
        Fri, 17 Jan 2020 16:30:08 -0800 (PST)
Received: from [192.168.103.11] ([202.53.56.203])
        by smtp.gmail.com with ESMTPSA id j20sm30128860pfe.168.2020.01.17.16.30.06
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 17 Jan 2020 16:30:07 -0800 (PST)
To: [email protected]
From: "Ralph Ronnquist (rrq)" <[email protected]>
Subject: fixed
Autocrypt: [email protected]; prefer-encrypt=mutual; keydata=
 xsBNBFlwf9YBCAC3fOpUF8Vk6kVOsc66Dy+1GdbD5C2nsp3iv4hTkUNdmvJizS6QH6xUvRCi
 6ZQYtRRQaC4UvRyVXJlxFL8tOpFuCSl83MAZVBPTwQmZacegCvIliHo+91r5GMUyV9wsdGhF
 I9/RWzEyw5zS8pSliseKiUUnalZT9ZkatOR0vcMI5hTwuaOACRNI7B24FL/NSz7ZCYE1O9I2
 RYsOjcpYdSHwiG0Rc+/2ITx8DA8LS+EZWHUwXC3ut7gThlMu2cCjQWpsvOiutDeDFJqnDqcf
 DySGzEfOSTOyGRsDzI52CtdJ1jSYLuDGTBc+Am5Ed3gLpgOKSlrWUflzOAuc0NvRvQpPABEB
 AAHNMVJhbHBoIFJvbm5xdWlzdCAocnJxKSA8cmFscGgucm9ubnF1aXN0QGdtYWlsLmNvbT7C
 wHgEEwECACIFAllwf9YCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAoW6XPKAuk
 YWQIAI35aGvj44e4JKGJmF1L7eELD6oe9nvdm3F/TA+ayX8PCrM4l72mHRjmMHYYMAKjkxCu
 jI1WmTupjRo6maPVCtol1amvnag5V4LQv5yYVTbMqvFsQ/fP3/EIh9uoBUWBzsT0kyllXSVM
 Gta+KDNIXT5JxAVBa5zpKGR+RXHMM3E4IcssOnH5KCDDFJdEqkNlNXGLg0Da71Ym504XM37O
 lO0WA5rdRB6iR5GO4hoNI0u0uzcLhV0eMu6V2OVUKOxsKczgfi5oaUNFcbbSwJayapJ0aJkB
 e4biYAKAGceQhhWdSzzBGEJxfyodN8ZipkIbJg/BdygBWO4X7Gh09dTWFAPOwE0EWXB/1gEI
 AN1qxVMHvI59BiOeCJnwPipr6a4znU9GpgyvnHr5blY7firuGm8ybUfzGuMtQxWRXhcJDkoN
 t5wPWwBebsALWIs89VsxzmPvRba7xOfkmAQG2iIUzunSlAhs8bGnbm+7AlhGs0j2H8Vnz0if
 URn28VXeyTSHfOyDURMmpoU6xn3BiZQKt6QQ0sX9Q7EhBdzscb2hurujemzaEhqWs6V4Oqrr
 tGnjd4079subCik/L7z8CJKhqnWKxsIrGg9ZwtMeAgVSzin+wFrMic7yfxcpIG2C92vEzw4S
 PS6G2vpfs3a5O1TqrCnIcw/YBzhYvuIumwp5O4mucNPxodgE+Scvrv8AEQEAAcLAXwQYAQIA
 CQUCWXB/1gIbDAAKCRBwKFulzygLpBBMCACyCBZI0fc+LaIwIIjdv/XIhu9/7siyuMuoKimd
 aWgQ52CXcfw5GZFiR9z0EE/1tM9Y0RwhHF8mu5Imn4XPN6AXOiB9ENm6fm0m0vVB0/0eHLts
 kGRuhyWHXbohTkRemxy9NBF3EH/UwqJVVxpBJyKxy+qMS0AXSlDMZgWjQ9AsaiZcgaoV8AW4
 zECYkd6dSNQbYi69jsX5EDzV8qKZzOh/NZXmm0VKCgZb3JFBrsdtGoLPtZaV904+9T+T4jib
 H0AdeUoDRu2QyxUmS+iD2xcQBCxLa+FTzm4HdZ9SfnBXl3i6QvEBQSxY1jzW4zBpPY7Mgmnn
 WF1G5VIqEDMggu2v
Message-ID: <[email protected]>
Date: Sat, 18 Jan 2020 11:30:04 +1100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.5 required=5.0 tests=BODY_SINGLE_WORD,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

fixed
------------=_1579308482-17414-0--

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Klaus Ethgen <[email protected]>
Subject: bug#53 closed by "Ralph Ronnquist (rrq)" <[email protected]>
 (fixed)
Message-ID: <[email protected]>
References: <[email protected]>
 <[email protected]>
X-Devuan-PR-Message: they-closed 53
X-Devuan-PR-Package: devuan-www
Reply-To: [email protected]
Date: Sat, 18 Jan 2020 00:48:05 +0000
Content-Type: multipart/mixed; boundary="----------=_1579308485-17414-1"

This is a multi-part message in MIME format...

------------=_1579308485-17414-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

This is an automatic notification regarding your bug report
which was filed against the devuan-www package:

#53: Website not working when using TLSA

It has been closed by "Ralph Ronnquist (rrq)" <[email protected]>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact "Ralph Ronnquist (rrq)=
" <[email protected]> by
replying to this email.


--=20
53: bugs.devuan.org/cgi/bugreport.cgi?bug=3D53
Devuan Bug Tracking System
Contact [email protected] with problems

------------=_1579308485-17414-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 53-close) by bugs.devuan.org; 18 Jan 2020 00:40:05 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Sat, 18 Jan 2020 00:40:05 +0000 (UTC)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id D1E00F60C88
	for <[email protected]>; Sat, 18 Jan 2020 01:30:10 +0100 (CET)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com [email protected] header.b="WwTSz0mK";
	dkim-atps=neutral
Received: by mail-pf1-f173.google.com with SMTP id n9so12668303pff.13
        for <[email protected]>; Fri, 17 Jan 2020 16:30:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=to:from:subject:autocrypt:message-id:date:user-agent:mime-version
         :content-language:content-transfer-encoding;
        bh=nVfPvfOHvAnoedEtmmWRMEmRJoPUudFwxc21YhJurm4=;
        b=WwTSz0mK0sNaPSInGnVT3i2uR704G67Al6pPyM1A5TRGHH5DIIGD8Zt9poWbXd3sNU
         sLOTW5WGAMbf/njHemZZREbId616l3yNWDjHh8JEHidEC3tO261wxbcux/ArsFN4eylG
         afUBiV+SI6skzLX7HRVYjywISkQ/T/EP8oD1zas2s1inMNgkvz2MxWKW5DtjaGaG4OvB
         X2xsvet/PSonFRDIIO5LBW/XlJIs/HAfsxHOyr/Hdp0RfGGZkqjJMK4BIrkK+QVieVQQ
         2aLcMRGUgrF1z9GYjYQ4ldu0Uu1PIoeCkC5Lu5HddJSgYkPP8lFFVNopiLedSlZRdy4g
         O7uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:from:subject:autocrypt:message-id:date
         :user-agent:mime-version:content-language:content-transfer-encoding;
        bh=nVfPvfOHvAnoedEtmmWRMEmRJoPUudFwxc21YhJurm4=;
        b=n4g3LZ0zilF4QqKELGZybkzIp+59hux2+9vU1fTc7i6qrl76PqxEmQklaUQUFAr2ND
         PrgoTS7aWtQMfn9GSgmHbqUrd/ZZrwn4OolECPMxQytRfgS4kkb/dn5bVHTr4R88s9dr
         IM70jYOTAv3qjEQ0YocKQmQbRz9zbs+4lzE2wzqy35o1uH4TFHfM7sCmwNU/asmgPOMF
         tORyRfnF3/wWg7TamKEvbZOWCOBbglopcVy3n3M+9YC5TYPHXd/8E2TNwiSVz2MrGor2
         aUsFd1BR+rfvrx7BKp9IKR5iZsGKFcOzo8I3HH6lqbmVcgARMckdXfDg5cbQMzycT2H/
         QTWQ==
X-Gm-Message-State: APjAAAXH5HtLfNV/1ddtXvi8QfDr1wv87NVYVN9G2hex2Wolp8VvnI45
	zZxLa3jqQQN6qACsb2My6c7QBkcJpbk=
X-Google-Smtp-Source: APXvYqxZIxLrK6ct/qmFcYGTDSMkXQSy65XNzVOScHEHILgSvwbH6SDBfSUSz3JwWa+PNul+XCTKIw==
X-Received: by 2002:a65:620d:: with SMTP id d13mr48909363pgv.252.1579307408251;
        Fri, 17 Jan 2020 16:30:08 -0800 (PST)
Received: from [192.168.103.11] ([202.53.56.203])
        by smtp.gmail.com with ESMTPSA id j20sm30128860pfe.168.2020.01.17.16.30.06
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 17 Jan 2020 16:30:07 -0800 (PST)
To: [email protected]
From: "Ralph Ronnquist (rrq)" <[email protected]>
Subject: fixed
Autocrypt: [email protected]; prefer-encrypt=mutual; keydata=
 xsBNBFlwf9YBCAC3fOpUF8Vk6kVOsc66Dy+1GdbD5C2nsp3iv4hTkUNdmvJizS6QH6xUvRCi
 6ZQYtRRQaC4UvRyVXJlxFL8tOpFuCSl83MAZVBPTwQmZacegCvIliHo+91r5GMUyV9wsdGhF
 I9/RWzEyw5zS8pSliseKiUUnalZT9ZkatOR0vcMI5hTwuaOACRNI7B24FL/NSz7ZCYE1O9I2
 RYsOjcpYdSHwiG0Rc+/2ITx8DA8LS+EZWHUwXC3ut7gThlMu2cCjQWpsvOiutDeDFJqnDqcf
 DySGzEfOSTOyGRsDzI52CtdJ1jSYLuDGTBc+Am5Ed3gLpgOKSlrWUflzOAuc0NvRvQpPABEB
 AAHNMVJhbHBoIFJvbm5xdWlzdCAocnJxKSA8cmFscGgucm9ubnF1aXN0QGdtYWlsLmNvbT7C
 wHgEEwECACIFAllwf9YCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAoW6XPKAuk
 YWQIAI35aGvj44e4JKGJmF1L7eELD6oe9nvdm3F/TA+ayX8PCrM4l72mHRjmMHYYMAKjkxCu
 jI1WmTupjRo6maPVCtol1amvnag5V4LQv5yYVTbMqvFsQ/fP3/EIh9uoBUWBzsT0kyllXSVM
 Gta+KDNIXT5JxAVBa5zpKGR+RXHMM3E4IcssOnH5KCDDFJdEqkNlNXGLg0Da71Ym504XM37O
 lO0WA5rdRB6iR5GO4hoNI0u0uzcLhV0eMu6V2OVUKOxsKczgfi5oaUNFcbbSwJayapJ0aJkB
 e4biYAKAGceQhhWdSzzBGEJxfyodN8ZipkIbJg/BdygBWO4X7Gh09dTWFAPOwE0EWXB/1gEI
 AN1qxVMHvI59BiOeCJnwPipr6a4znU9GpgyvnHr5blY7firuGm8ybUfzGuMtQxWRXhcJDkoN
 t5wPWwBebsALWIs89VsxzmPvRba7xOfkmAQG2iIUzunSlAhs8bGnbm+7AlhGs0j2H8Vnz0if
 URn28VXeyTSHfOyDURMmpoU6xn3BiZQKt6QQ0sX9Q7EhBdzscb2hurujemzaEhqWs6V4Oqrr
 tGnjd4079subCik/L7z8CJKhqnWKxsIrGg9ZwtMeAgVSzin+wFrMic7yfxcpIG2C92vEzw4S
 PS6G2vpfs3a5O1TqrCnIcw/YBzhYvuIumwp5O4mucNPxodgE+Scvrv8AEQEAAcLAXwQYAQIA
 CQUCWXB/1gIbDAAKCRBwKFulzygLpBBMCACyCBZI0fc+LaIwIIjdv/XIhu9/7siyuMuoKimd
 aWgQ52CXcfw5GZFiR9z0EE/1tM9Y0RwhHF8mu5Imn4XPN6AXOiB9ENm6fm0m0vVB0/0eHLts
 kGRuhyWHXbohTkRemxy9NBF3EH/UwqJVVxpBJyKxy+qMS0AXSlDMZgWjQ9AsaiZcgaoV8AW4
 zECYkd6dSNQbYi69jsX5EDzV8qKZzOh/NZXmm0VKCgZb3JFBrsdtGoLPtZaV904+9T+T4jib
 H0AdeUoDRu2QyxUmS+iD2xcQBCxLa+FTzm4HdZ9SfnBXl3i6QvEBQSxY1jzW4zBpPY7Mgmnn
 WF1G5VIqEDMggu2v
Message-ID: <[email protected]>
Date: Sat, 18 Jan 2020 11:30:04 +1100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.5 required=5.0 tests=BODY_SINGLE_WORD,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

fixed
------------=_1579308485-17414-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.devuan.org; 3 Apr 2017 20:00:02 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.dyne.org [178.62.188.7]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Mon, 03 Apr 2017 22:00:02 +0200 (CEST)
Received: from tschil.ethgen.ch (tschil.ethgen.ch [5.9.7.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by tupac2.dyne.org (Postfix) with ESMTPS id 776B018BF8E
	for <[email protected]>; Mon,  3 Apr 2017 19:53:06 +0000 (UTC)
Received: from [192.168.17.4] (helo=ikki.ket)
	by tschil.ethgen.ch with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.88)
	(envelope-from <[email protected]>)
	id 1cv82D-0004E2-4w
	for [email protected]; Mon, 03 Apr 2017 21:53:05 +0200
Received: from klaus by ikki.ket with local (Exim 4.89)
	(envelope-from <[email protected]>)
	id 1cv82C-0000VM-Cv
	for [email protected]; Mon, 03 Apr 2017 21:53:04 +0200
Date: Mon, 3 Apr 2017 20:53:04 +0100
From: Klaus Ethgen <[email protected]>
To: [email protected]
Subject: Website not working when using TLSA
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; x-action=pgp-signed
OpenPGP: id=79D0B06F4E20AF1C;
 url=http://www.ethgen.ch/~klaus/79D0B06F4E20AF1C.txt; preference=signencrypt
User-Agent: NeoMutt/20170306 (1.8.0)
X-Spam-Status: No, score=-2.3 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	RCVD_IN_DNSWL_MED,SPF_PASS autolearn=disabled version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tupac2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: devuan-www
Severity: important

Since several months, the web page (www.devuan.org) is not viewable for
those who care about security and trust only the certificate that the
owner has access to instead of every untrusted CA.

The way to do that is DNSSEC with TLSA and thankfully, devuan does
support that.

Unfortunately, since several months, (I believe, when devuan switched to
that horrable Let's encrypt) the page doesn't match the TLSA record
anymore. That leads to a unviewable page if one cares about security.

So the TLSA record should be updated to match the SSL certificate of the
page (or the right SSL certificate should be used).

There are few solutions for this if it is really the switch to Let's
encrypt that is the cause:
- - Every time you replace the SSL certificate, update the TLSA record
  too. That is very painful as Let's encrypt drives security adabsurdum
  by replacing the certificate with every single new load. (Keep in
  mind, not everyone is checking the side every hour.) That is the most
  stupid (sorry) way.
- - Get a certificate from a more stable source that is not replacing the
  certificates that often. You still need to change the TLSA record
  every time you replace the certificate. That is, in my opinion, the
  most reliable way.
- - If you don't care about the fucked up CA stuff, just generate a self
  signed certificate and put the right stuff into TLSA record. This is
  the most honest way to go but realistically, as browser vendors seems
  to passively boycott DNSSEC, this is no way to go for a site like
  devuan.
- - The last way would be to use the CA fingerprint instead of the one of
  the actual certificate. Or use the fingerprint of the key if you don't
  change it with every certificate renewal. This is making good face on
  a bad matter but it is working too.

Regards
   Klaus
- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <[email protected]>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAljiqBkACgkQpnwKsYAZ
9qxL3QwAnLn7R6wiJzo0NCIrYg4gsr3rEfFHczVn+LA6aduIUYMOsqlhe8pCLqkF
ytVR9TZhuvVskK9diRYHQnuOBSc4+dKzdTbt5IYV2y2NQhJQbe0kSNx2lkwIF6Nt
zycNTlTntuSjtF5UVflsQFTDoNqbQB86l/Dp3K96kiOwVVE7luhPhqX8oCM7C1n6
YQbXeGexrhVx/Y1nSR6MALWthZvumlJJFcC3MARJkgIwZ03r64xsgYYjDHEgKZs/
9fxWir+JR+gTDHV5Y8lQRtEdShA37Sv/H5WNxhGjKB2jzuuhaKhNn9DeZEp3v7DY
GeAXi8NC2fi0qwbKSUHq0xy2U8JgrEicPpTwSvRnjGzyfknmC6Sfz6LvtDTftbGx
EYZzacTmch/vqIwv+qwaED9VHWLKP0w8IAHjcSLyDE8S4TGytv7qeAiHs3MbThkx
4WJBrbxBzFMUgSV8LurYlACw74S0XWQpXC/altjlLLNEWnb5+Nf4SJRsDIgtAkqY
Y8+uLt68
=4Rvp
-----END PGP SIGNATURE-----

------------=_1579308485-17414-1--