-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Tue, Aug 26, 2014 at 12:36:47PM +0200, Vít Ondruch wrote:
$ gem fetch power_assert ERROR: Could not find a valid gem 'power_assert' (>= 0), here is why: Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz)
Upstream RubyGems ships the certificates, but on your request, I removed the bundled certificates [1]. Now, 3 months later are RubyGems broken in F21+ due to this update. Luckily, I have never backported this commit to F20, so this particular update is not harmful for stable Fedora release, but what am I supposed to do with F21+?
I don't feel like contacting Amazon. You claim that nothing should break and Mozilla contacted everybody, so why not Amazon? Are they so negligible?
Should I follow your advises or follow upstream? Sorry, but this puzzles me ...
Hmmm, according to SSLLabs[0] rubygems.org is using a 2048-bit certificate and chains all the way up to the CA with 2048-bit certificate. The s3.amazonaws.com URL also uses a 2048-bit cert and chains up to the CA with 2048-bit certs as well. If the "fix" to the CA trust file only removed CAs with weak (<2048-bit) certificates it would appear that the breakage you see wouldn't be affected by this.
Out of curisity, did certificate verification get turned on in the F21 version?
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Fedora Project
sparks@fedoraproject.org - sparks@redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------