public inbox for [email protected]
help / color / mirror / Atom feedFrom: Stefan Huehner <[email protected]>
To: Christoph Berg <[email protected]>
To: [email protected]
Subject: Re: apt.postgresql.org repo via https will fail will some users starting 2021-10-01
Date: Thu, 9 Sep 2021 15:15:08 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <YTn/[email protected]>
References: <[email protected]>
<YTn/[email protected]>
On Thu, Sep 09, 2021 at 02:33:49PM +0200, Christoph Berg wrote:
> Re: Stefan Huehner
> > sending this here as looks like https://apt.postgresql.org is affected by this so this could trigger some support/user questions.
> >
> > Note this only (!) happens when using https:// in sources.list for the pgdg repo.
>
> Hi,
>
> thanks for sharing this.
>
> We aren't advertising https:// for apt.postgresql.org anywhere, but
> the download instructions tell users to "wget" the repository key from
> https://www.postgresql.org, so we are at least somewhat affected.
> (wget is using gnutls at least in unstable.)
>
> > Ideas:
> > - Do nothing apt.postgresql suggest http:// in the instructions
> > - Some on the website
> > - Think on reconfiguring certbot/Let's Encrypt on the server to switch to the alternative chain (avoiding this bug but breaking compatibility with old Android
>
> That's probably rather the ca-certificates package?
Not in this case, i know a bit confusing.
That upstream article has more details:
https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certifica...
Part: How to support older OpenSSL versions
In (not so) short: ca-certificates is fine to have trust anchor for Lets Encrypt.
However not everybody directly trust Let's Encrypt (missing entry in their equivalent of ca-certificates (i.e. old Android).
To keep those other clients supported they employed a bit of a trick which has an 'expired root certificates' in the chain from your server-cert to their root. At the same time there is 2nd valid path. But old version of software (openssl,gnutls) just stop + fail on seeing 'expired'.
Best they could do if offer server owner (certbot parameter when requesting ssl certificate to select):
a.) Default chain (compatible still with old android) but triggering this bug
b.) Alternative chain (ignore old android) but keep compatible with old openssl/gnutls
That link goes into much more detail but hopefully now clearer.
That is also why i raised this here as a choice for apt.postgresql.org hosting (if you think it's a useful workaround)
>
> > - Raise as bug to debian also (against openssl/gnutls) to maybe patch both in stable also to avoid this ?
> > - Not sure if that is a interesting/acceptable material for stable/old-stable?
>
> If stretch/buster/bullseye are affected, these should be fixed, yes.
>
> Though none of this is material for the PostgreSQL packages, can you
> raise the issue with the LTS team?
Will raise there.
Hopefuly above also clarified why i sent that here (not about any PostgreSQL package, but apt.postgresql.org server admin topic).
Stefan
view thread (8+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: apt.postgresql.org repo via https will fail will some users starting 2021-10-01
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox