Dne 26.8.2014 17:00, Eric H. Christensen napsal(a): > On Tue, Aug 26, 2014 at 12:36:47PM +0200, Vít Ondruch wrote: > > $ gem fetch power_assert > > ERROR: Could not find a valid gem 'power_assert' (>= 0), here is why: > > Unable to download data from https://rubygems.org/ - > > SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: > > certificate verify failed > > > (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz) > > > > Upstream RubyGems ships the certificates, but on your request, I removed > > the bundled certificates [1]. Now, 3 months later are RubyGems broken in > > F21+ due to this update. Luckily, I have never backported this commit to > > F20, so this particular update is not harmful for stable Fedora release, > > but what am I supposed to do with F21+? > > > I don't feel like contacting Amazon. You claim that nothing should break > > and Mozilla contacted everybody, so why not Amazon? Are they so > negligible? > > > Should I follow your advises or follow upstream? Sorry, but this puzzles > > me ... > > > Hmmm, according to SSLLabs[0] rubygems.org is using a 2048-bit > certificate and chains all the way up to the CA with 2048-bit > certificate. The s3.amazonaws.com URL also uses a 2048-bit cert and > chains up to the CA with 2048-bit certs as well. If the "fix" to the > CA trust file only removed CAs with weak (<2048-bit) certificates it > would appear that the breakage you see wouldn't be affected by this. These are the certificates which RubyGems upstream bundles: https://github.com/rubygems/rubygems/tree/master/lib/rubygems/ssl_certs Actually I discussed this a bit with Tomáš Mráz and he sed that the cert chain is 2048 bit server cert -> 2048 bit intermediate -> 1024 root CA and OpenSSL can't handle this situation by default. > > Out of curisity, did certificate verification get turned on in the F21 > version? No. It is turned on already for some time. The difference, that in F20, these certificates are still bundled in rubygems package and they are explicitly loaded by RubyGems. If you remove them manually from /usr/share/rubygems/rubygems/ssl_certs/ (and this is what we basically do in F21+), you can reproduce the error on F20 as well. I.e. without that certificates, RubyGems work with ca-certificates-2013.1.97-1.fc20 but don't work with ca-certificates-2014.2.1-1.0.fc20. Vít -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
