Dne 26.8.2014 17:00, Eric H. Christensen napsal(a):
On Tue, Aug 26, 2014 at 12:36:47PM +0200, Vít Ondruch wrote:
> $ gem fetch power_assert
> ERROR: Could not find a valid gem 'power_assert' (>= 0), here is why:
> Unable to download data from https://rubygems.org/
> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
> certificate verify failed
> Upstream RubyGems ships the certificates, but on your request, I removed
> the bundled certificates . Now, 3 months later are RubyGems broken in
> F21+ due to this update. Luckily, I have never backported this commit to
> F20, so this particular update is not harmful for stable Fedora release,
> but what am I supposed to do with F21+?
> I don't feel like contacting Amazon. You claim that nothing should break
> and Mozilla contacted everybody, so why not Amazon? Are they so
> Should I follow your advises or follow upstream? Sorry, but this puzzles
> me ...
Hmmm, according to SSLLabs rubygems.org
is using a 2048-bit
certificate and chains all the way up to the CA with 2048-bit
certificate. The s3.amazonaws.com
URL also uses a 2048-bit cert and
chains up to the CA with 2048-bit certs as well. If the "fix" to the
CA trust file only removed CAs with weak (<2048-bit) certificates it
would appear that the breakage you see wouldn't be affected by this.
These are the certificates which RubyGems upstream bundles:
Actually I discussed this a bit with Tomáš Mráz and he sed that the cert
chain is 2048 bit server cert -> 2048 bit intermediate -> 1024 root CA
and OpenSSL can't handle this situation by default.
Out of curisity, did certificate verification get turned on in the F21
No. It is turned on already for some time. The difference, that in F20,
these certificates are still bundled in rubygems package and they are
explicitly loaded by RubyGems. If you remove them manually from
/usr/share/rubygems/rubygems/ssl_certs/ (and this is what we basically
do in F21+), you can reproduce the error on F20 as well. I.e. without
that certificates, RubyGems work with ca-certificates-2013.1.97-1.fc20
but don't work with ca-certificates-2014.2.1-1.0.fc20.