Page MenuHomePhorge

Updated Arcanist default.pem with the most recent one from Mozilla
AbandonedPublic

Authored by Ekubischta on Oct 4 2021, 13:34.

Details

Summary

The current default.pem file in Arcanist is from Wed Jan 20 04:12:04 2016 and at this point is out of date

This revision replaces that .pem file with the one from here https://curl.se/ca/cacert.pem which is the Mozilla CA Certificate store from https://curl.se/docs/caextract.html

Specifically, this addresses any issues with the LetsEncrypt root certificate expiration of 9/30/21

Test Plan

Ran this and did not get a fail curl -v --cacert ./resources/ssl/default.pem https://letsencrypt.org/

NOTE: We are getting a lint failure because of characters, this will need to be ignored in a future update to this revision

Diff Detail

Repository
rARC Arcanist
Branch
T15051-Arcanist_DefaultPem_OutOfDate
Lint
Lint Errors
SeverityLocationCodeMessage
Errorresources/ssl/default.pem:649TXT5Bad Charset
Unit
No Test Coverage
Build Status
Buildable 47
Build 47: arc lint + arc unit

Event Timeline

Ekubischta edited the test plan for this revision. (Show Details)

Because of security issues related to this I’d like to have a verification of this type of change since this inherently defines the trust used by arc.

Maybe 2 core members independently verify the these certificate changes? Is there an fast way to verify the individual certs changed here?

In D25023#827, @speck wrote:

Because of security issues related to this I’d like to have a verification of this type of change since this inherently defines the trust used by arc.

Maybe 2 core members independently verify the these certificate changes? Is there an fast way to verify the individual certs changed here?

One option is to validate against the sha-256 hash

The details of the file are here https://curl.se/docs/caextract.html

The sha256hash according to them is here : https://curl.se/ca/cacert.pem.sha256

You can validate the pem in this revision by running sha256sum ./resources/ssl/default.pem and it should match

For verbosity, the hash is f524fc21859b776e18df01a87880efa198112214e13494275dbcbd9bcb71d976

I computed the sha256 sum of the change/updated file and verified that it matches the cert file on https://curl.se/docs/caextract.html for 2021-09-30.

Note that there's currently a newer cert file on that page. Would it matter that we're updating to a file that's no longer the newest? I think the primary issue was difference in certs that changed sometime in August/September with letsencrypt that caused issues.

This revision is now accepted and ready to land.Dec 1 2021, 16:27

We should abandon this revision as secure has already updated their pem - see https://lch.lcdevops.com/rLCARCANIST13d3a3c3b100979c34dda261fe21253e3571bc46

Once the Phorge repo is synced to the secure changes, this will be here