Paths

Table of Contentst

Differential D25023

Updated Arcanist default.pem with the most recent one from Mozilla
AbandonedPublic
Actions

Authored by Ekubischta on Oct 4 2021, 13:34.

Details

Reviewers

speck

Group Reviewers

O1: Blessed Committers

Maniphest Tasks

T15051: default.pem in Arcanist is out of date - maybe remove it completely?

Summary

The current default.pem file in Arcanist is from Wed Jan 20 04:12:04 2016 and at this point is out of date

This revision replaces that .pem file with the one from here https://curl.se/ca/cacert.pem which is the Mozilla CA Certificate store from https://curl.se/docs/caextract.html

Specifically, this addresses any issues with the LetsEncrypt root certificate expiration of 9/30/21

Test Plan

Ran this and did not get a fail curl -v --cacert ./resources/ssl/default.pem https://letsencrypt.org/

NOTE: We are getting a lint failure because of characters, this will need to be ignored in a future update to this revision

Diff Detail

Repository

rARC Arcanist

Branch

T15051-Arcanist_DefaultPem_OutOfDate

Lint

Lint Errors

Severity	Location	Code	Message
Error	resources/ssl/default.pem:649	TXT5	Bad Charset

Unit

No Test Coverage

Build Status

Buildable 47
Build 47: arc lint + arc unit

Event Timeline

Ekubischta created this revision.Oct 4 2021, 13:34

Owners added a reviewer: O1: Blessed Committers.Oct 4 2021, 13:34

Herald added subscribers: valerio.bozzolan, tobiaswiese, speck. · View Herald TranscriptOct 4 2021, 13:34

Ekubischta requested review of this revision.Oct 4 2021, 13:34

Harbormaster completed remote builds in B47: Diff 67.Oct 4 2021, 13:34

Ekubischta edited the summary of this revision. (Show Details)Oct 4 2021, 13:37

Ekubischta edited the test plan for this revision. (Show Details)

Ekubischta mentioned this in T15051: default.pem in Arcanist is out of date - maybe remove it completely?.Oct 4 2021, 13:49

Ekubischta mentioned this in T15052: Deal with DST_Root_CA_X3 expiry (Let's Encrypt).Oct 6 2021, 16:06

Because of security issues related to this I’d like to have a verification of this type of change since this inherently defines the trust used by arc.

Maybe 2 core members independently verify the these certificate changes? Is there an fast way to verify the individual certs changed here?

In D25023#827, @speck wrote:

Because of security issues related to this I’d like to have a verification of this type of change since this inherently defines the trust used by arc.

Maybe 2 core members independently verify the these certificate changes? Is there an fast way to verify the individual certs changed here?

One option is to validate against the sha-256 hash

The details of the file are here https://curl.se/docs/caextract.html

The sha256hash according to them is here : https://curl.se/ca/cacert.pem.sha256

You can validate the pem in this revision by running sha256sum ./resources/ssl/default.pem and it should match

For verbosity, the hash is f524fc21859b776e18df01a87880efa198112214e13494275dbcbd9bcb71d976

speck edited the test plan for this revision. (Show Details)Dec 1 2021, 16:20

I computed the sha256 sum of the change/updated file and verified that it matches the cert file on https://curl.se/docs/caextract.html for 2021-09-30.

Note that there's currently a newer cert file on that page. Would it matter that we're updating to a file that's no longer the newest? I think the primary issue was difference in certs that changed sometime in August/September with letsencrypt that caused issues.

This revision is now accepted and ready to land.Dec 1 2021, 16:27

We should abandon this revision as secure has already updated their pem - see https://lch.lcdevops.com/rLCARCANIST13d3a3c3b100979c34dda261fe21253e3571bc46

Once the Phorge repo is synced to the secure changes, this will be here

Revision Contents
Changeset List

Path

Size

Packages

resources/

ssl/

default.pem

3141 lines

O1: Blessed Committers

Diff 67

View Options

Updated Arcanist default.pem with the most recent one from MozillaAbandonedPublicActions