https:bugs.python.org -- Untrusted Connection (Firefox)
Firefox does not want to connect to https:bugs.python.org. Plain bugs.python.org works fine. Has the certificate expired? -- Terry Jan Reedy
On Mon, Aug 18, 2014 at 04:12:22PM -0400, Terry Reedy <tjreedy@udel.edu> wrote:
Firefox does not want to connect to https:bugs.python.org.
Works for me (FF 31). Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
It uses a CACert certificate, which your system probably doesn't trust. On Mon, Aug 18, 2014, at 13:12, Terry Reedy wrote:
Firefox does not want to connect to https:bugs.python.org. Plain bugs.python.org works fine. Has the certificate expired?
-- Terry Jan Reedy
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/benjamin%40python.org
On Mon, Aug 18, 2014 at 3:22 PM, Benjamin Peterson <benjamin@python.org> wrote:
It uses a CACert certificate, which your system probably doesn't trust.
On Mon, Aug 18, 2014, at 13:12, Terry Reedy wrote:
Firefox does not want to connect to https:bugs.python.org. Plain bugs.python.org works fine. Has the certificate expired?
-- Terry Jan Reedy
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/benjamin%40python.org
Benjamin that looks accurate. I see the same thing as Terry (on Firefox 31) and the reason is: bugs.python.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
On Mon, Aug 18, 2014 at 03:26:48PM -0500, Ian Cordasco <graffatcolmingov@gmail.com> wrote:
On Mon, Aug 18, 2014 at 3:22 PM, Benjamin Peterson <benjamin@python.org> wrote:
It uses a CACert certificate, which your system probably doesn't trust.
On Mon, Aug 18, 2014, at 13:12, Terry Reedy wrote:
Firefox does not want to connect to https:bugs.python.org. Plain bugs.python.org works fine. Has the certificate expired?
Benjamin that looks accurate. I see the same thing as Terry (on Firefox 31) and the reason is:
bugs.python.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
Aha, I see now -- the signing certificate is CAcert, which I've installed manually. Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
Hi, On 18 August 2014 22:30, Oleg Broytman <phd@phdru.name> wrote:
Aha, I see now -- the signing certificate is CAcert, which I've installed manually.
I don't suppose anyone is particularly annoyed by this fact? I know for sure two classes of people that will never click "Ignore". The first one is people that, for lack of a less negative term, I'll call "security freaks". The second is "serious business people" to which the shiny new look of python.org appeals; they are likely to heed the warning "Legitimate banks, stores, etc. will never ask you to do this" and would regard an official hint to ignore it as highly unprofessional. (The bug tracker of PyPy used to have the same problem. We fixed the situation recently, but previously, we used to argue that we didn't have a lot of connections with either class of people...) A bientôt, Armin.
On 22 August 2014 00:41, Armin Rigo <arigo@tunes.org> wrote:
Hi,
On 18 August 2014 22:30, Oleg Broytman <phd@phdru.name> wrote:
Aha, I see now -- the signing certificate is CAcert, which I've installed manually.
I don't suppose anyone is particularly annoyed by this fact? I know for sure two classes of people that will never click "Ignore". The first one is people that, for lack of a less negative term, I'll call "security freaks". The second is "serious business people" to which the shiny new look of python.org appeals; they are likely to heed the warning "Legitimate banks, stores, etc. will never ask you to do this" and would regard an official hint to ignore it as highly unprofessional.
I've now raised this issue with the infrastructure team. The current hosting arrangements for bugs.python.org were put in place when the PSF didn't have any on-call system administrators of its own, but now that we do, it may be time to migrate that service to a location where we can switch to a more appropriate SSL certificate. Anyone interested in following the discussion further may wish to join infrastructure@python.org Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
Am 21.08.14 17:44, schrieb Nick Coghlan:
I've now raised this issue with the infrastructure team. The current hosting arrangements for bugs.python.org were put in place when the PSF didn't have any on-call system administrators of its own, but now that we do, it may be time to migrate that service to a location where we can switch to a more appropriate SSL certificate.
Just to relay Noah's response: it's actually not the hosting that prevents installation of a proper certificate, it's the limitation that the certificate we could deploy would include "python.org" as a server name, which is considered risky regardless of where the service is hosted. There are solutions to that as well, of course. Regards, Martin
On Aug 21, 2014, at 11:29 AM, Martin v. Löwis <martin@v.loewis.de> wrote:
Am 21.08.14 17:44, schrieb Nick Coghlan:
I've now raised this issue with the infrastructure team. The current hosting arrangements for bugs.python.org were put in place when the PSF didn't have any on-call system administrators of its own, but now that we do, it may be time to migrate that service to a location where we can switch to a more appropriate SSL certificate.
Just to relay Noah's response: it's actually not the hosting that prevents installation of a proper certificate, it's the limitation that the certificate we could deploy would include "python.org" as a server name, which is considered risky regardless of where the service is hosted. There are solutions to that as well, of course.
That sounds like a limitation I’ve seen with StartSSL. Perhaps there’s a certificate authority that would be willing to sponsor a certificate for Python without this annoying limitation?
On Thu, Aug 21, 2014, at 09:48, Ryan Hiebert wrote:
On Aug 21, 2014, at 11:29 AM, Martin v. Löwis <martin@v.loewis.de> wrote:
Am 21.08.14 17:44, schrieb Nick Coghlan:
I've now raised this issue with the infrastructure team. The current hosting arrangements for bugs.python.org were put in place when the PSF didn't have any on-call system administrators of its own, but now that we do, it may be time to migrate that service to a location where we can switch to a more appropriate SSL certificate.
Just to relay Noah's response: it's actually not the hosting that prevents installation of a proper certificate, it's the limitation that the certificate we could deploy would include "python.org" as a server name, which is considered risky regardless of where the service is hosted. There are solutions to that as well, of course.
That sounds like a limitation I’ve seen with StartSSL. Perhaps there’s a certificate authority that would be willing to sponsor a certificate for Python without this annoying limitation?
Perhaps some board members could comment, but I hope the PSF could just pay a few hundred a year for a proper certificate.
On 22 Aug 2014 04:45, "Benjamin Peterson" <benjamin@python.org> wrote:
Perhaps some board members could comment, but I hope the PSF could just pay a few hundred a year for a proper certificate.
That's exactly what we're doing - MAL reminded me we reached the same conclusion last time this came up, we'll just track it better this time to make sure it doesn't slip through the cracks again. (And yes, switching to forced HTTPS once this is addressed would also be a good idea - we'll add it to the list) Regards, Nick.
On 8/21/2014 7:25 PM, Nick Coghlan wrote:
On 22 Aug 2014 04:45, "Benjamin Peterson" <benjamin@python.org <mailto:benjamin@python.org>> wrote:
Perhaps some board members could comment, but I hope the PSF could just pay a few hundred a year for a proper certificate.
That's exactly what we're doing - MAL reminded me we reached the same conclusion last time this came up, we'll just track it better this time to make sure it doesn't slip through the cracks again.
(And yes, switching to forced HTTPS once this is addressed would also be a good idea - we'll add it to the list)
I just switched from a 'low variety' short password of the sort almost crackable with brute force (today, though not several years ago) to a higher variety longer password. People with admin privileges on the tracker might be reminded to recheck. What was adequate 10 years ago is not so now. -- Terry Jan Reedy
As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA. On Thu, Aug 21, 2014 at 10:32 PM, Terry Reedy <tjreedy@udel.edu> wrote:
On 8/21/2014 7:25 PM, Nick Coghlan wrote:
On 22 Aug 2014 04:45, "Benjamin Peterson" <benjamin@python.org <mailto:benjamin@python.org>> wrote:
Perhaps some board members could comment, but I hope the PSF could just pay a few hundred a year for a proper certificate.
That's exactly what we're doing - MAL reminded me we reached the same conclusion last time this came up, we'll just track it better this time to make sure it doesn't slip through the cracks again.
(And yes, switching to forced HTTPS once this is addressed would also be a good idea - we'll add it to the list)
I just switched from a 'low variety' short password of the sort almost crackable with brute force (today, though not several years ago) to a higher variety longer password. People with admin privileges on the tracker might be reminded to recheck. What was adequate 10 years ago is not so now.
-- Terry Jan Reedy
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/gokoproject%40gmail.com
I got the same in Chrome on my Mac. Skip On Sep 1, 2014 8:00 PM, "John Wong" <gokoproject@gmail.com> wrote:
As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA.
On Thu, Aug 21, 2014 at 10:32 PM, Terry Reedy <tjreedy@udel.edu> wrote:
On 8/21/2014 7:25 PM, Nick Coghlan wrote:
On 22 Aug 2014 04:45, "Benjamin Peterson" <benjamin@python.org <mailto:benjamin@python.org>> wrote:
Perhaps some board members could comment, but I hope the PSF could
just
pay a few hundred a year for a proper certificate.
That's exactly what we're doing - MAL reminded me we reached the same conclusion last time this came up, we'll just track it better this time to make sure it doesn't slip through the cracks again.
(And yes, switching to forced HTTPS once this is addressed would also be a good idea - we'll add it to the list)
I just switched from a 'low variety' short password of the sort almost crackable with brute force (today, though not several years ago) to a higher variety longer password. People with admin privileges on the tracker might be reminded to recheck. What was adequate 10 years ago is not so now.
-- Terry Jan Reedy
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/gokoproject%40gmail.com
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/skip%40pobox.com
Hi! On Mon, Sep 01, 2014 at 08:32:27PM -0500, Skip Montanaro <skip.montanaro@gmail.com> wrote:
I got the same in Chrome on my Mac.
Skip On Sep 1, 2014 8:00 PM, "John Wong" <gokoproject@gmail.com> wrote:
As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA.
The signing certificate is still CAcert. One can install their root certificate from http://www.cacert.org/index.php?id=3 Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
On 9/2/2014 1:49 AM, Oleg Broytman wrote:
Hi!
On Mon, Sep 01, 2014 at 08:32:27PM -0500, Skip Montanaro <skip.montanaro@gmail.com> wrote:
I got the same in Chrome on my Mac.
Skip On Sep 1, 2014 8:00 PM, "John Wong" <gokoproject@gmail.com> wrote:
As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA.
The signing certificate is still CAcert. One can install their root certificate from http://www.cacert.org/index.php?id=3
This seems not to work for Firefox. "Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)" I installed it anyway, closed and reopened Firefox (but not rebooted) and https://bugs.python.org still gives Untrusted message. -- Terry Jan Reedy
On Tue, Sep 02, 2014 at 04:14:25PM -0400, Terry Reedy <tjreedy@udel.edu> wrote:
On 9/2/2014 1:49 AM, Oleg Broytman wrote:
On Mon, Sep 01, 2014 at 08:32:27PM -0500, Skip Montanaro <skip.montanaro@gmail.com> wrote:
I got the same in Chrome on my Mac.
Skip On Sep 1, 2014 8:00 PM, "John Wong" <gokoproject@gmail.com> wrote:
As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA.
The signing certificate is still CAcert. One can install their root certificate from http://www.cacert.org/index.php?id=3
This seems not to work for Firefox. "Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)"
I installed it anyway, closed and reopened Firefox (but not rebooted) and https://bugs.python.org still gives Untrusted message.
Did you install it in the Firefox own certificate manager? http://wiki.cacert.org/FAQ/BrowserClients#Mozilla_Firefox "Firefox uses it's own Certificate Manager. So even if your Windows (and other Microsoft) applications already use a root certificate Firefox still might not." Oleg. -- Oleg Broytman http://phdru.name/ phd@phdru.name Programmers don't die, they just GOSUB without RETURN.
On 2 September 2014 10:34, John Wong <gokoproject@gmail.com> wrote:
As of today I still am getting untrusted cert thought I would re-ping to see if there is an ETA.
Thanks for the ping - I got sidetracked by other things, and didn't follow up on this one. I've kicked things into motion again, and it will hopefully be resolved before too long. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
On 8/21/2014 10:41 AM, Armin Rigo wrote:
Hi,
On 18 August 2014 22:30, Oleg Broytman <phd@phdru.name> wrote:
Aha, I see now -- the signing certificate is CAcert, which I've installed manually.
I don't suppose anyone is particularly annoyed by this fact?
I noticed the issue, and started this thread, because someone posted an https::/bugs.python.org link. I ordinarily just go to bugs.python.org and get the http connection. I have https-anywhere installed, but it must notice the dodgy certificate and silently not switch. So I never knew before tht there was an https connection available, and never thought to try it. Given that we are shipping both login credentials and files over the connection, making https routine, with a proper certificate, might be a good idea. -- Terry Jan Reedy
participants (10)
-
"Martin v. Löwis" -
Armin Rigo -
Benjamin Peterson -
Ian Cordasco -
John Wong -
Nick Coghlan -
Oleg Broytman -
Ryan Hiebert -
Skip Montanaro -
Terry Reedy