Re: [EXTERNAL] [edk2-devel] [edk2-rfc] GitHub Pull Request based Code Review Process

Wed, 27 May 2020 11:33:10 -0700 

On 05/28/20 00:07, Rebecca Cran wrote:

> I also tried using my openSUSE WSL installation, but it failed with:
> 
> STARTTLS failed! SSL connect attempt failed error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed at
> /usr/lib/git/git-send-email line 1548.

That's different -- in this case, peer certificate verification was
attempted, but it failed, because the root certificate in the peer's
cert chain is not trusted by your system (your openSUSE WSL environment).

The fix for that should be identical to what you'd do on a standalone
openSUSE installation -- (1) figure out what CA cert is the root of the
peer's cert chain, and (2) decide consciously whether you trust that CA
cert to sign other certificates, (3) import said CA cert persistently
into your "store of trusted CA certs".

Examples:

(1) I think one command that works is:

$ openssl s_client -showcerts -connect HOST:PORT </dev/null

(2) up to you :)

(3a) On RHEL, this would mean copying the CA certificate under
"/etc/pki/ca-trust/source/anchors/", in PEM format, and then running the
"update-ca-trust extract" command. (Both actions need root (uid=0)
access, of course.)

(3b) For a user session (i.e., not system-wide), git-send-email also
takes "--smtp-ssl-cert-path":

       --smtp-ssl-cert-path
           Path to a store of trusted CA certificates for SMTP SSL/TLS
           certificate validation (either a directory that has been
           processed by c_rehash, or a single file containing one or
           more PEM format certificates concatenated together: see
           verify(1) -CAfile and -CApath for more information on
           these). Set it to an empty string to disable certificate
           verification. Defaults to the value of the
           sendemail.smtpsslcertpath configuration variable, if set,
           or the backing SSL library's compiled-in default otherwise
           (which should be the best choice on most platforms).

Thanks
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60368): https://edk2.groups.io/g/devel/message/60368
Mute This Topic: https://groups.io/mt/74450665/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to