[Discuss] server certificates for the https protocol

Mon Jan 28 18:17:39 PST 2008

Try ssh'ing to another machine you have access to and committing from 
there. If it accepts the remote connection then your computer may need 
new certificates.

If it does the same thing then I would wager the problem lies with SF or 
Equifax.

Alan W. Irwin wrote:
> On 2008-01-28 14:20-0800 Steven Kurylo wrote:
>
>> On Jan 27, 2008 12:56 PM, Alan W. Irwin <irwin at beluga.phys.uvic.ca> 
>> wrote:
>>> Could somebody give me a brief description of what server 
>>> certificates are
>>> and the practical steps I should take to deal with invalid ones?
>>>
>>> For example, I am currently getting the following message from an 
>>> svn commit
>>> to SF
>>>
>>> software at raven> svn commit .
>>> Error validating server certificate for 
>>> 'https://lasi.svn.sourceforge.net:443':
>>>   - The certificate is not issued by a trusted authority. Use the
>>>     fingerprint to validate the certificate manually!
>>> Certificate information:
>>>   - Hostname: *.svn.sourceforge.net
>>>   - Valid: from Tue, 09 Oct 2007 14:15:07 GMT until Mon, 08 Dec 2008 
>>> 15:15:07 GMT
>>>   - Issuer: Equifax Secure Certificate Authority, Equifax, US
>>>   - Fingerprint: 
>>> fb:75:6c:40:58:ae:21:8c:63:dd:1b:7b:6a:7d:bb:8c:74:36:e7:8a
>>> (R)eject, accept (t)emporarily or accept (p)ermanently?
>>>
>>> Is this the fault of SourceForge or Equifax or is there a real security
>>> concern here?
>>
>> Its telling you the cert is signed by Equifax Secure Certificate
>> Authority, Equifax, US but you don't trust them.
>>
>> In an ideal world you'll verify the fingerprint against a trusted
>> source.  They don't seem to list their fingerprints on their website,
>> even if you decided to trust it.
>>
>> Firefox comes with a lot of Equifax certificates, so you could see if
>> firefox already trusts it.
>>
>> The paranoid hat could be that your DNS could be poisoned and you're
>> not looking at the real sourceforge server.  The hacker is using the
>> Equifax name on their certificate to try to trick you.
>>
>> More likely your OS just doesn't have the latest equifax cert installed.
>
> Thanks for these ideas.  Is it also possible that SF failed to renew
> something (depite [or because of] the future date on the EquiFax
> certificate)?  Everything was working fine without any warning messages a
> few days ago so failure to renew is a possibility from that perspective.
>
> I tried https://lasi.svn.sourceforge.net on firefox. Is that what you 
> meant
> by seeing if firefox already trusts "it"? If so, the result wasn't
> definitive because for a browser it gets forwarded to an http (not https)
> site for browsing the svn repository, i.e.,
> http://lasi.svn.sourceforge.net/viewvc/lasi/.  The response to the svn
> command is very different of course because it actually writes to the
> repository directly with the https protocol rather than simply viewing 
> html
> pages that were generated from the svn repository.
>
> Alan
> __________________________
> Alan W. Irwin
>
> Astronomical research affiliation with Department of Physics and 
> Astronomy,
> University of Victoria (astrowww.phys.uvic.ca).
>
> Programming affiliations with the FreeEOS equation-of-state 
> implementation
> for stellar interiors (freeeos.sf.net); PLplot scientific plotting 
> software
> package (plplot.org); the libLASi project (unifont.org/lasi); the 
> Loads of
> Linux Links project (loll.sf.net); and the Linux Brochure Project
> (lbproject.sf.net).
> __________________________
>
> Linux-powered Science
> __________________________
> _______________________________________________
> Discuss mailing list
> Discuss at vlug.org
> http://ladybug.vlug.org/cgi-bin/mailman/listinfo/discuss
>