new certificate for svn.freebsd.org?
Matthew Seaman
matthew at FreeBSD.org
Fri Jun 17 07:53:27 UTC 2016
On 17/06/2016 00:21, Wolfgang Zenker wrote:
> I'm getting presented a new SSL certificate for svn.freebsd.org.
> Like the previous one, it can not be verified by svnlite on any
> of my 10-STABLE machines, though ca_root_nss is installed. But
> the previous certificate at least matched the fingerprint given
> on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html
The certificate was renewed yesterday -- a routine renewal as the cert
was due to expire within a week. Looks like the documentation is (as
ever) lagging behind.
Not sure why you can't validate the Gandi cert -- presumably this is due
to missing an intermediate certificate from Gandi which isn't in the
ca_root_nss collection. In those cases, the server should provide the
intermediate certificates as well as the site certificate, which it
does. (You can use 'openssl s_client' to test, amongst other methods.)
This points towards an error in certificate validation in the svnlite code.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20160617/36d917a4/attachment.sig>
More information about the freebsd-stable
mailing list