-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wget gives certificate error for dotnet.microsoft.com #6830
Comments
Should this be transferred to |
The issue is with the certificate for |
cc @dagood @marek-safar for awareness. |
It doesn't repro for me on Fedora 33 but does repro exactly the same (with slightly different IPs) in a clean Fedora 34 container. Command for easy repro:
This also repros: @mairaw are you the right person to help with this? |
We had a similar thread before where we couldn't determine why dot.net wasn't working. @ChrisSfanos helped with this before for the dot.net redirection service. Do you also have issues if you use the dotnet.microsoft.com URL? |
Yeah, this also repros for me:
|
Tagging @terrimorton as well |
So we just did an ECR and rotated the certificates. Do we have a mismatch somewhere? Is the older cert still in use on FrontDoor? Edit - ok that probably isn't it as Front Door is set to "Latest" for Secret version. Could this be a weird cache problem? On a machine that repos, are you able to see the certificate it's grabbing? If so, can you share the first 5 characters of the thumbprint? |
Here's what I get:
|
Thanks - I checked and that certificate is the latest one (rotated into place on 10/7). When I visit dotnet.microsoft.com in the browser, that is also the certificate I get the full path is valid. So I admit I'm not sure what is going on in this case yet |
The cert appears to be valid, just untrusted. But, I don't know enough about certificate trust to know if that's just nitpicking, or how to investigate further into why it isn't trusted by this distro. I checked a Fedora 33 Docker image, and it also repros the same as the Fedora 34 Docker image. For me, only my actively used dev box with Fedora 33 didn't repro. .NET (especially NuGet) has had run-ins with |
I ran the SSL Server Test at https://www.ssllabs.com/ssltest/ (and hid the result from the boards). I am currently digging into the results to see why there are "B" ratings. This may be the key to the underlying issue. |
Attached is the report Some things that stand out: Certificate 1 - Subject: dotnet.microsoft.com Certificate 2 - Subject: *.azureedge.net Trusted No NOT TRUSTED General |
|
On F34 wget is linked to GnuTLS, using GnuTLS tools I get this:
Seem like OCSP issues of some kind. Unfortunately the --no-ocsp options seem not work, so can't tell if this is a real OCSP issue or something else. |
Interesting! Following along with https://security.stackexchange.com/a/73200, I get an interesting result:
Is http://oneocsp.microsoft.com/ocsp misbehaving? |
Running gnutls-cli with -d 9999 spits these lines at some point (trimmed of other debug statements):
|
Looking at https://oneocsp.microsoft.com/ocsp with a browser I see this:
|
And at http:// I get a 500 error, but that may be ok given I am making no real query |
I didn't think to check |
According to the analysis by @ansasaki, the OCSP response is signed with RSA-SHA1, which is disabled by the DEFAULT crypto-policies setting in F34: |
A comment on the ticket says that OpenSSL accepting the certificate may be a bug. If OpenSSL would not accept it, the impact would be far greater than just affecting |
Thanks all for the detailed investigative help. 🙂 The team is now looking into what it'll take to get an F33/F34 gnutls-acceptable cert set up for the .NET site. |
Slight clarification - the cert used on the dot.net site is correct. The issue is that the OCSP is returning a SHA1 encoded response that F34 (by default) won't accept (thanks @ansasaki) - we've forwarded the issue to some internal teams who will take a look |
According to RFC 6960 , (specifically section 4.3) OCSP responders can return responses signed using RSA with SHA1. RFC 5019 which standardizes "The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments" states that only SHA1 should be supported. OneOCSP is compliant to the RFCs similarly to the LE OCSP responder. |
@rzio besides saying that gnu_tls should support SHA1, is your reply also meant to imply that you don't plan to change the algorithms used by OneOCSP? I'm not an expert. Skimming through the RFCs, I get the impression the recommended algorithm changed over time from SHA-1 to SHA-256. I haven't seen issues besides with the Microsoft sites, or find reports about it. That means other sites are using an OCSP server that supports more than SHA-1. |
@rzio I've added your comment to the gnu_tls bugzilla ticket: https://bugzilla.redhat.com/show_bug.cgi?id=2003363. |
I think this is not relevant; the RFC only states:
and nothing else, while we are talking about SHA1 usage in signatures. Also note that it is a distro-wide decision to disable SHA1 signatures by default, not a decision by the single TLS library; the detailed rationale can be found at the change proposal. |
Is addition of '--no-check-certificate' to the script too insecure to be feasible? |
This prevents compilation of PowerShell. |
Yes, this is a no-go. When you add this, you can't consider anything that happens next to be secure/trusted. |
Update from the OneOCSP side: Due to a new CAB forum requirement, OneOCSP will switch the algorithm to SHA-256 by 2022-5-31. |
Closing as the issue is fixed. |
On Fedora 34:
cc @leecow
The text was updated successfully, but these errors were encountered: