On Mon, Aug 18, 2014 at 03:26:48PM -0500, Ian Cordasco wrote:

On Mon, Aug 18, 2014 at 3:22 PM, Benjamin Peterson wrote:

...

It uses a CACert certificate, which your system probably doesn't trust.

On Mon, Aug 18, 2014, at 13:12, Terry Reedy wrote:

...

Firefox does not want to connect to https:bugs.python.org. Plain bugs.python.org works fine. Has the certificate expired?

Benjamin that looks accurate. I see the same thing as Terry (on Firefox 31) and the reason is:

bugs.python.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

Aha, I see now -- the signing certificate is CAcert, which I've installed manually. Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.

On 22 August 2014 00:41, Armin Rigo wrote:

Hi,

On 18 August 2014 22:30, Oleg Broytman wrote:

...

Aha, I see now -- the signing certificate is CAcert, which I've installed manually.

I don't suppose anyone is particularly annoyed by this fact? I know for sure two classes of people that will never click "Ignore". The first one is people that, for lack of a less negative term, I'll call "security freaks". The second is "serious business people" to which the shiny new look of python.org appeals; they are likely to heed the warning "Legitimate banks, stores, etc. will never ask you to do this" and would regard an official hint to ignore it as highly unprofessional.

I've now raised this issue with the infrastructure team. The current hosting arrangements for bugs.python.org were put in place when the PSF didn't have any on-call system administrators of its own, but now that we do, it may be time to migrate that service to a location where we can switch to a more appropriate SSL certificate. Anyone interested in following the discussion further may wish to join infrastructure@python.org Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia

On Aug 21, 2014, at 11:29 AM, Martin v. Löwis wrote:

Am 21.08.14 17:44, schrieb Nick Coghlan:

...

I've now raised this issue with the infrastructure team. The current hosting arrangements for bugs.python.org were put in place when the PSF didn't have any on-call system administrators of its own, but now that we do, it may be time to migrate that service to a location where we can switch to a more appropriate SSL certificate.

Just to relay Noah's response: it's actually not the hosting that prevents installation of a proper certificate, it's the limitation that the certificate we could deploy would include "python.org" as a server name, which is considered risky regardless of where the service is hosted. There are solutions to that as well, of course.

That sounds like a limitation I’ve seen with StartSSL. Perhaps there’s a certificate authority that would be willing to sponsor a certificate for Python without this annoying limitation?

On 22 Aug 2014 04:45, "Benjamin Peterson" wrote:

Perhaps some board members could comment, but I hope the PSF could just pay a few hundred a year for a proper certificate.

That's exactly what we're doing - MAL reminded me we reached the same conclusion last time this came up, we'll just track it better this time to make sure it doesn't slip through the cracks again. (And yes, switching to forced HTTPS once this is addressed would also be a good idea - we'll add it to the list) Regards, Nick.

As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA. On Thu, Aug 21, 2014 at 10:32 PM, Terry Reedy wrote:

On 8/21/2014 7:25 PM, Nick Coghlan wrote:

...

On 22 Aug 2014 04:45, "Benjamin Peterson" mailto:benjamin@python.org> wrote:

...

Perhaps some board members could comment, but I hope the PSF could just pay a few hundred a year for a proper certificate.

That's exactly what we're doing - MAL reminded me we reached the same conclusion last time this came up, we'll just track it better this time to make sure it doesn't slip through the cracks again.

(And yes, switching to forced HTTPS once this is addressed would also be a good idea - we'll add it to the list)

I just switched from a 'low variety' short password of the sort almost crackable with brute force (today, though not several years ago) to a higher variety longer password. People with admin privileges on the tracker might be reminded to recheck. What was adequate 10 years ago is not so now.

-- Terry Jan Reedy

_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/gokoproject%40gmail.com

Hi! On Mon, Sep 01, 2014 at 08:32:27PM -0500, Skip Montanaro wrote:

I got the same in Chrome on my Mac.

Skip On Sep 1, 2014 8:00 PM, "John Wong" wrote:

...

As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA.

The signing certificate is still CAcert. One can install their root certificate from http://www.cacert.org/index.php?id=3 Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.

On Tue, Sep 02, 2014 at 04:14:25PM -0400, Terry Reedy wrote:

On 9/2/2014 1:49 AM, Oleg Broytman wrote:

...

On Mon, Sep 01, 2014 at 08:32:27PM -0500, Skip Montanaro wrote:

...

I got the same in Chrome on my Mac.

Skip On Sep 1, 2014 8:00 PM, "John Wong" wrote:

...

As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA.

The signing certificate is still CAcert. One can install their root certificate from http://www.cacert.org/index.php?id=3

This seems not to work for Firefox. "Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)"

I installed it anyway, closed and reopened Firefox (but not rebooted) and https://bugs.python.org still gives Untrusted message.

Did you install it in the Firefox own certificate manager? http://wiki.cacert.org/FAQ/BrowserClients#Mozilla_Firefox "Firefox uses it's own Certificate Manager. So even if your Windows (and other Microsoft) applications already use a root certificate Firefox still might not." Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.

On 8/21/2014 10:41 AM, Armin Rigo wrote:

Hi,

On 18 August 2014 22:30, Oleg Broytman wrote:

...

Aha, I see now -- the signing certificate is CAcert, which I've installed manually.

I don't suppose anyone is particularly annoyed by this fact?

I noticed the issue, and started this thread, because someone posted an https::/bugs.python.org link. I ordinarily just go to bugs.python.org and get the http connection. I have https-anywhere installed, but it must notice the dodgy certificate and silently not switch. So I never knew before tht there was an https connection available, and never thought to try it. Given that we are shipping both login credentials and files over the connection, making https routine, with a proper certificate, might be a good idea. -- Terry Jan Reedy