hg.mozilla.org now redirects to hg-edge.mozilla.org. This presents a
couple of unique challenges:
- OpenSSL s_client cannot follow redirects.
- hg-edge.mozilla.org is configured differently than hg.mozilla.org was.
- The certificate used for hg-edge.mozilla.org is signed by Let's
Encrypt instead of the Mozilla CA root.
To fix this, we have done the following:
- Removed the mozilla CA root from the make-ca package, and replaced it
with ISRG-Root-X1, which is the signing root certificate for Let's
Encrypt certificates.
- Adjusted the Makefile to install the new signing root certificate.
- Changed the URL for downloading the certdata.txt file to
hg-edge.mozilla.org
- Fixed problems with retrieving the certificate data from that website
by specifying the HTTP version and turning off keep-alive support. As
part of this we need to change from using "echo" to "printf" due to
a behavior change in how "\n" is handled. Note that "\n" must be
specified or else the connection will hang.
This will allow certificate data to be updated once again.
This commit adds the Let's Encrypt certificate root so that we can copy it to /etc/make-ca and use it for verification of the initial download of certdata.txt.
This is now needed because Mozilla has moved from hg.mozilla.org to hg-edge.mozilla.org, which is signed using Let's Encrypt instead of the Mozilla Certificate Root.
This commit deletes the old Mozilla CA Root.
We're going to need to use the root certificate for Let's Encrypt because hg-edge.mozilla.org uses a Let's Encrypt certificate instead of one signed by the Mozilla CA root.
This partially reverts commit 327c7e9306.
Per https://bugzilla.mozilla.org/show_bug.cgi?id=1465613, the intention
of the CKA_NSS_*_DISTRUST_AFTER dates is to distrust the certificate
with this anchor if the certificate is issued after the date, not if the
system date is after the date.
As make-ca cannot know the issue date of downstream certificates, this
is just a wrong location to handle CKA_NSS_*_DISTRUST_AFTER.
Unfortunately it seems nothing is handling it properly: OpenSSL does not
use p11-kit and the raw X509 certificates in /etc/ssl/certs cannot store
the CKA_NSS_*_DISTRUST_AFTER info at all, GnuTLS uses p11-kit but fails
to really fetch the dates. So BLFS will be slightly overly-permissive
(instead of overly-restrictive) after this change, but AFAIK all other
distros have the same behavior as at now.
Link: https://gitlab.com/gnutls/gnutls/-/issues/1656
Link: https://github.com/openssl/openssl/issues/24784
Before this, make-ca does not verify the certificate of hg.mozilla.org
at all. It makes sense as make-ca often runs on systems without trust
anchor. But, a MIM can easily fake hg.mozilla.org and completely hijack
the trust anchor of a BLFS system.
To improve the situation, we ship the certificate of the CA root for
hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use
it to verify hg.mozilla.org.
