search

msysgit / git

msysGit-based Git for Windows 1.x is now superseded by Git for Windows 2.x
http://github.com/git-for-windows/git
Other
1.01k stars 317 forks source link

"Entrust Root Certification Authority - G2" is not trusted #358

Closed killerkalamari closed 9 years ago

killerkalamari commented 9 years ago

We set up a git server using Bonobo, and got a real cert (not self signed) from Entrust, for https://git.opusinspection.com/. Despite two Entrust certificates already present in /bin/curl-ca-bundle.crt, curl wasn't accepting our certificate. We checked the cert chain on sslshopper, everything seemed to be in order. I installed Git-1.9.5-preview20150319.exe because my Git was an older version. Still wasn't working.

Here is the cert (used openssl in cygwin to convert it to pem format): ~/Desktop$ openssl x509 -in EntrustRootCertificationAuthority-G2.pem -inform pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1246989352 (0x4a538c28) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c ) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Au thority - G2 Validity Not Before: Jul 7 17:25:54 2009 GMT Not After : Dec 7 17:55:54 2030 GMT Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=( c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification A uthority - G2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:84:b6:72:db:9e:0c:6b:e2:99:e9:30:01:a7: 76:ea:32:b8:95:41:1a:c9:da:61:4e:58:72:cf:fe: f6:82:79:bf:73:61:06:0a:a5:27:d8:b3:5f:d3:45: 4e:1c:72:d6:4e:32:f2:72:8a:0f:f7:83:19:d0:6a: 80:80:00:45:1e:b0:c7:e7:9a:bf:12:57:27:1c:a3: 68:2f:0a:87:bd:6a:6b:0e:5e:65:f3:1c:77:d5:d4: 85:8d:70:21:b4:b3:32:e7:8b:a2:d5:86:39:02:b1: b8:d2:47:ce:e4:c9:49:c4:3b:a7:de:fb:54:7d:57: be:f0:e8:6e:c2:79:b2:3a:0b:55:e2:50:98:16:32: 13:5c:2f:78:56:c1:c2:94:b3:f2:5a:e4:27:9a:9f: 24:d7:c6:ec:d0:9b:25:82:e3:cc:c2:c4:45:c5:8c: 97:7a:06:6b:2a:11:9f:a9:0a:6e:48:3b:6f:db:d4: 11:19:42:f7:8f:07:bf:f5:53:5f:9c:3e:f4:17:2c: e6:69:ac:4e:32:4c:62:77:ea:b7:e8:e5:bb:34:bc: 19:8b:ae:9c:51:e7:b7:7e:b5:53:b1:33:22:e5:6d: cf:70:3c:1a:fa:e2:9b:67:b6:83:f4:8d:a5:af:62: 4c:4d:e0:58:ac:64:34:12:03:f8:b6:8d:94:63:24: a4:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB Signature Algorithm: sha256WithRSAEncryption 79:9f:1d:96:c6:b6:79:3f:22:8d:87:d3:87:03:04:60:6a:6b: 9a:2e:59:89:73:11:ac:43:d1:f5:13:ff:8d:39:2b:c0:f2:bd: 4f:70:8c:a9:2f:ea:17:c4:0b:54:9e:d4:1b:96:98:33:3c:a8: ad:62:a2:00:76:ab:59:69:6e:06:1d:7e:c4:b9:44:8d:98:af: 12:d4:61:db:0a:19:46:47:f3:eb:f7:63:c1:40:05:40:a5:d2: b7:f4:b5:9a:36:bf:a9:88:76:88:04:55:04:2b:9c:87:7f:1a: 37:3c:7e:2d:a5:1a:d8:d4:89:5e:ca:bd:ac:3d:6c:d8:6d:af: d5:f3:76:0f:cd:3b:88:38:22:9d:6c:93:9a:c4:3d:bf:82:1b: 65:3f:a6:0f:5d:aa:fc:e5:b2:15:ca:b5:ad:c6:bc:3d:d0:84: e8:ea:06:72:b0:4d:39:32:78:bf:3e:11:9c:0b:a4:9d:9a:21: f3:f0:9b:0b:30:78:db:c1:dc:87:43:fe:bc:63:9a:ca:c5:c2: 1c:c9:c7:8d:ff:3b:12:58:08:e6:b6:3d:ec:7a:2c:4e:fb:83: 96:ce:0c:3c:69:87:54:73:a4:73:c2:93:ff:51:10:ac:15:54: 01:d8:fc:05:b1:89:a1:7f:74:83:9a:49:d7:dc:4e:7b:8a:48: 6f:8b:45:f6

Using cygwin, I appended the following to curl-ca-bundle.crt, copied it to /bin, and instantly curl (and git) started working:

Entrust Root Certification Authority - G2
=========================================
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
killerkalamari commented 9 years ago

BTW, although I provided a workaround, I'm not sure what the next step on this would be to move forward. Is there a way the project team can get the root cert directly from Entrust? In security matters such as these, it is best not to trust, but rather pull from official sources. I myself find it very weird that the cert wasn't already included.

killerkalamari commented 9 years ago

Is there any way I can help move a fix forward?

dscho commented 9 years ago

Yes, you can. The first thing to test is whether Git for Windows 2.x' certificates include the one from Entrust that you need. If that works, I would suggest sticking with that version of Git for Windows (although I have no concrete ETA, it is the Git for Windows that I am working on these days).

If that also fails, I suspect that the Entrust certificates we have in our certificate bundles are not the same as you expect, and it would be good to figure out with Entrust's help what the status of our certificates is, and whether we should replace them, or augment them, or how to proceed.

killerkalamari commented 9 years ago

Sorry, I became very busy and haven't had a chance to try what you suggested. Has this been resolved? If not, could you please give me more time to try your suggestions?

dscho commented 9 years ago

I gave concrete advice 15 days ago. Since there was deafening silence since then, I closed the ticket as "dead in the water".