Reed Loden wrote: > Ineiev wrote: > > It looks like this disabled some of my cron jobs on fencepost.gnu.org; > > it used to wget https://...savannah.gnu.org/...; now it says > > ERROR: cannot verify savannah.gnu.org's certificate, issued by > > `/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2': > > Unable to locally verify the issuer's authority. > > > > Probably I should file a request to sysadmin, or configure > > something in ~/.
The FSF sysadmin is the place to get any updates onto fencepost. I will give them a poke and see about getting this updated. > https://www.ssllabs.com/ssltest/analyze.html?d=savannah.gnu.org > > Looks like "USERTrust RSA Certification Authority" root CA cert is missing > from the ca-certificates store of fencepost. Not sure when it was added to > browser's root store, but might be a good idea to send it along with the > entire certificate chain for now. Better yet, update fencepost's > ca-certificates. It is also possible that the change from SHA1 to SHA256 was also a source of problem. > Aside from that, it would be nice if savannah's SSL/TLS config was updated > to enable better cipher suite choices and newer protocols. See > https://wiki.mozilla.org/Security/Server_Side_TLS for some examples on how > to do this. Yes. I started working that problem and then Real Life intruded. It isn't completely simple because Savannah has evolved into a large framework all interconnected. It has lost some modularity. Everything is connected. Upgrading one thing causes other things not to work. Which makes upgrades at the moment problematic. I will just note that I haven't lost track of the upgrade project. I have simply had to delay while taking care of other more urgent things first. Bob
