search

niemeyer / gopkg

Source code for the gopkg.in service.
Other
539 stars 85 forks source link

Consider moving away from StartCom for SSL certificate #46

Closed joesis closed 8 years ago

joesis commented 8 years ago

This is what happened when I disabled StartCom from the list of System Root CAs, which prevented package manager (Glide in my case) from fetching any gopkg.in dependencies.

image

Consider the community's response to what WoSign and StartCom did, it's a good practice to disable them. Maybe switch to Let's Encrypt?

sattarimaseh commented 8 years ago

Developing API on smart phone doen't allow developer toolbar. Does moving coding through Github through Startcom provide this toolbar on blumix?

niemeyer commented 8 years ago

I'll have a look at enabling lets encrypt there. I'm slightly worried about the added complexity, but let's see how it goes.

niemeyer commented 8 years ago

This is done. Please let me know if you find any issues.

bradleyfalzon commented 8 years ago

I just had a failure since you've posted that message in Travis:

Fetching https://gopkg.in/gorp.v1?go-get=1
Parsing meta tags from https://gopkg.in/gorp.v1?go-get=1 (status code 200)
get "gopkg.in/gorp.v1": found meta tag main.metaImport{Prefix:"gopkg.in/gorp.v1", VCS:"git", RepoRoot:"https://gopkg.in/gorp.v1"} at https://gopkg.in/gorp.v1?go-get=1
gopkg.in/gorp.v1 (download)
# cd .; git clone https://gopkg.in/gorp.v1 /home/travis/gopath/src/gopkg.in/gorp.v1
Cloning into '/home/travis/gopath/src/gopkg.in/gorp.v1'...
fatal: unable to access 'https://gopkg.in/gorp.v1/': gnutls_handshake() failed: A TLS fatal alert has been received.
package gopkg.in/gorp.v1: exit status 128

Anyone else still having issues ? Edit, seems to working from home and it's detecting LE: 

gnutls-cli gopkg.in
Processed 167 CA certificate(s).
Resolving 'gopkg.in'...
Connecting to '45.33.69.124:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=gopkg.in', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', EC key 256 bits, signed using RSA-SHA256, activated `2016-11-02 09:07:00 UTC', expires `2017-01-31 09:07:00 UTC', SHA-1 fingerprint `891bfdd798dd5b63d0284c261ce873d9a11c952e'
        Public Key ID:
                1084f9fbb2aa89fb59ced9cc01d853c8a4a494ba
        Public key's random art:
                +--[  EC  256]----+
                | .o .+o          |
                |.+ +o. .         |
                |o . o.o          |
                |.  o ...         |
                | .. +  .S        |
                |E    o.          |
                |    . ..         |
                | . * =...        |
                |oo=.=.=o         |
                +-----------------+

- Certificate[1] info:
 - subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', issuer `O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', SHA-1 fingerprint `e6a3b45b062d509b3382282d196efe97d5956ccb'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-128-GCM)
- Session ID: AE:4D:C9:AC:9F:AD:42:F0:B4:DF:51:BE:B1:88:18:85:B1:59:90:D9:01:03:4C:B3:01:8C:00:49:A8:98:D5:09
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-ECDSA
- Server Signature: ECDSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Handshake was completed
niemeyer commented 8 years ago

I've observed a large number of errors about unsupported ciphers and reverted. Will figure it out and try again. Please do let me know again if you see follow up problems.

joesis commented 8 years ago

I see following from macOS Sierra, even with GIT_SSL_NO_VERIFY=true option. Anyway to bypass it?

Cloning into '/Users/joesis/.glide/cache/src/https-gopkg.in-redis.v3'...
fatal: unable to access 'https://gopkg.in/redis.v3/': Unknown SSL protocol error in connection to gopkg.in:-9838
joesis commented 8 years ago

I got the same even if I trusted StartCom, so it should be something else.

niemeyer commented 8 years ago

Does it work on your browser? What if you try to git clone https://gopkg.in/redis.v3 (no slash at the end)?

niemeyer commented 8 years ago

Note that it has been redeployed again, so it's now using RSA certificates from Let's Encrypt.

joesis commented 8 years ago

Thanks @niemeyer ! git clone and go get works, so it's definitely not something of the site itself.

AlexNimoy commented 8 years ago

macOS Sierra

go get gopkg.in/airbrake/gobrake.v2
# cd .; git clone https://gopkg.in/airbrake/gobrake.v2 /Users/aectann/golang/src/gopkg.in/airbrake/gobrake.v2
Cloning into '/Users/aectann/golang/src/gopkg.in/airbrake/gobrake.v2'...
fatal: unable to access 'https://gopkg.in/airbrake/gobrake.v2/': Unknown SSL protocol error in connection to gopkg.in:-9838
git clone https://gopkg.in/airbrake/gobrake.v2
Cloning into 'gobrake.v2'...
fatal: unable to access 'https://gopkg.in/airbrake/gobrake.v2/': Unknown SSL protocol error in connection to gopkg.in:-9838
joesis commented 8 years ago

@Backstabe What's you git version? https://support.cloudbees.com/hc/en-us/articles/218154647-git-Unknown-SSL-protocol-error-in-connection is a great source to check for this error.

AlexNimoy commented 8 years ago

@joesis git version 2.10.2 ⇒ curl --version curl 7.51.0 (x86_64-apple-darwin16.1.0) libcurl/7.51.0 SecureTransport zlib/1.2.8 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: IPv6 Largefile NTLM NTLM_WB SSL libz UnixSockets

 git clone https://gopkg.in/airbrake/gobrake.v2
Cloning into 'gobrake.v2'...
* Couldn't find host gopkg.in in the .netrc file; using defaults
*   Trying 45.33.69.124...
* Connected to gopkg.in (45.33.69.124) port 443 (#0)
* Unknown SSL protocol error in connection to gopkg.in:-9838
* Closing connection 0
fatal: unable to access 'https://gopkg.in/airbrake/gobrake.v2/': Unknown SSL protocol error in connection to gopkg.in:-9838

if substitute the port manually

git clone https://gopkg.in:9838/airbrake/gobrake.v2
Cloning into 'gobrake.v2'...
* Couldn't find host gopkg.in in the .netrc file; using defaults
*   Trying 45.33.69.124...
* connect to 45.33.69.124 port 9838 failed: Connection refused
* Failed to connect to gopkg.in port 9838: Connection refused
* Closing connection 0
fatal: unable to access 'https://gopkg.in:9838/airbrake/gobrake.v2/': Failed to connect to gopkg.in port 9838: Connection refused
niemeyer commented 8 years ago

@joesis @Backstabe: That extra slash at the end of the URL seems suspect. Are you running this in the CLI, or is it running under some sort of IDE? Can you try in the CLI and make sure there's no slash at the end?

AlexNimoy commented 8 years ago

@niemeyer yes trailing slash suspect. I use https://github.com/constabulary/gb in CLI manifest file

{
  "importpath": "gopkg.in/airbrake/gobrake.v2",
  "repository": "https://gopkg.in/airbrake/gobrake.v2",
  "revision": "5d77bd50d083834501349f8be70197b26963674d",
  "branch": "master"
}

I tried run git clone and go get slash entered automatically.

niemeyer commented 8 years ago

Okay, that's not it then. That negative port number (-9838) seems suspect. Looks like non-initialized memory. Can you please try this explicitly:

git clone https://gopkg.in:443/airbrake/gobrake.v2
AlexNimoy commented 8 years ago

@niemeyer 

⇒  git clone https://gopkg.in:443/airbrake/gobrake.v2
Cloning into 'gobrake.v2'...
* Couldn't find host gopkg.in in the .netrc file; using defaults
*   Trying 45.33.69.124...
* Connected to gopkg.in (45.33.69.124) port 443 (#0)
* Unknown SSL protocol error in connection to gopkg.in:-9838
* Closing connection 0
fatal: unable to access 'https://gopkg.in:443/airbrake/gobrake.v2/': Unknown SSL protocol error in connection to gopkg.in:-9838
niemeyer commented 7 years ago

@Backstabe Okay, the most likely issue is that your git client is using a deprecated SSLv2 handshake.

Can you please retry now?

niemeyer commented 7 years ago

@Backstabe ping

AlexNimoy commented 7 years ago

@niemeyer It's not working.

soupdiver commented 7 years ago

Same problem here OS: macOS Sierra (10.12.1 (16B2555)) Git: git version 2.10.2

I have git and openSSL installed via brew and everything is up-to-date

go get gopkg.in/yaml.v2
# cd .; git clone https://gopkg.in/yaml.v2 /Users/felix/gocode/src/gopkg.in/yaml.v2
Cloning into '/Users/felix/gocode/src/gopkg.in/yaml.v2'...
fatal: unable to access 'https://gopkg.in/yaml.v2/': Unknown SSL protocol error in connection to gopkg.in:-9838
package gopkg.in/yaml.v2: exit status 128
git clone https://gopkg.in:443/airbrake/gobrake.v2
Cloning into 'gobrake.v2'...
fatal: unable to access 'https://gopkg.in:443/airbrake/gobrake.v2/': Unknown SSL protocol error in connection to gopkg.in:-9838
AlexNimoy commented 7 years ago

try git config --global http.sslVerify true

soupdiver commented 7 years ago

@Backstabe Nice, thanks! But why does it work with explicit ssl verification? Shouldn't verification be on by default?