Server TLS configuration is broken and vulnerable

[toupeira]

See my other comment and the report from SSL Labs

• the COMODO intermediate certificate is missing from the chain
• the OpenSSL version is vulnerable to CVE-2016-2107

@nicferrier seems to be missing in action, is there anybody with access to the server configuration?

[anarcat]

For the record, I also still see this problem here.

I'm getting this when running emacs -q after adding adding the Marmalade repo (https://marmalade-repo.org/packages/):

This is after running package-list-packages with the Marmalade repo configured, running under emacs -q. Hitting "always" in that dialog creates the following file in .emacs.d/network-security.data:

(
 (:id "sha1:85457c729378cc93c732b6a3941c8e4f9c2e60f3" :fingerprint "sha1:ab:a6:d7:6a:b3:d3:63:fa:19:0d:65:41:60:23:6e:ef:d3:2a:46:dc" :host "marmalade-repo.org:443" :conditions (:unknown-ca :invalid))
)

There are two distinct problems here:

1. the marmalade-repo.org should be trusted. it works in Firefox and Chromium

2. the exception shouldn't use a SHA-1 exception, which is now very well known to be weak

Problem 1 is this issue. The reason why it works in Firefox and Chromium is that they cache intermediate certificates like COMODO's.

Problem 2 is a bug in Emacs, so not a concern here, but I figured I would share my workaround in case people want to verify the fingerprint.

[duncan-bayne]

Problem still present on GNU Emacs 25.2.1, FreeBSD 11.1-RELEASE amd64.

[apsoftwaredev]

This is GNU Emacs 25.2.1 (x86_64-apple-darwin13.4.0, NS appkit-1265.21 Version 10.9.5 (Build 13F1911))
of 2017-04-21

[cabo]

Is this thing on?

[duncan-bayne]

@cabo Yeah but no-one is steering ;)

[michaelmhoffman]

I have posted a user workaround to https://emacs.stackexchange.com/a/35502/2701. The server should still be configured so this is unnecessary, though.