Mail Archives: cygwin/2024/03/19/13:39:38

Brian Inglis via Cygwin <cygwin AT cygwin DOT com> · Tue, 19 Mar 2024 11:39:10 -0600

On 2024-03-19 11:00, J M wrote:
> $ file /etc/pki/tls/certs/*
> /etc/pki/tls/certs/ca-bundle.crt:       symbolic link to 
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> /etc/pki/tls/certs/ca-bundle.trust.crt: symbolic link to 
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> 
> $ grep -c '^-----BEGIN.*CERTIFICATE-----$' 
> /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:369
> /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem:116
> /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem:295
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:145
> 
> $ grep '^#\s\(ISRG\|R3\)' /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# ISRG Root X1
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# ISRG Root X2
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:# R3
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# ISRG Root X1
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# ISRG Root X2
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:# R3
> 
> Looks the same except the matched number lines of the grep -c.
> 
> $ sum /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt 
> /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem 
> /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem 
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> 22972   630 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> 34027   176 /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
> 36930   491 /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
> 05844   220 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

The following are a bit more useful:

$ wc -lwmcL /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
   11307   14152  664107  664142      65 
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    3368    4080  193879  193883      64 
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
    8816   10434  512531  512566      65 
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
    4236    5094  243623  243627      64 
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
   27727   33760 1614140 1614218      65 total
$ cksum /etc/pki/ca-trust/extracted/{openssl/*.crt,pem/*.pem}
317625824 664142 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
382586407 193883 /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
1244815702 512566 /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
1065593997 243627 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

I would also like to see what you get running:

$ curl -Iv https://8.43.85.97/
*   Trying 8.43.85.97:443...
* Connected to 8.43.85.97 (8.43.85.97) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=cygwin.com
*  start date: Jan 21 03:06:49 2024 GMT
*  expire date: Apr 20 03:06:48 2024 GMT
*  subjectAltName does not match 8.43.85.97
* SSL: no alternative certificate subject name matches target host name '8.43.85.97'
* Closing connection
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 
'8.43.85.97'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

and:

$ curl -Iv https://cygwin.com/
* Host cygwin.com:443 was resolved.
* IPv6: 2620:52:3:1:0:246e:9693:128c
* IPv4: 8.43.85.97
*   Trying [2620:52:3:1:0:246e:9693:128c]:443...
* Connected to cygwin.com (2620:52:3:1:0:246e:9693:128c) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=cygwin.com
*  start date: Jan 21 03:06:49 2024 GMT
*  expire date: Apr 20 03:06:48 2024 GMT
*  subjectAltName: host "cygwin.com" matched cert's "cygwin.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed 
using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed 
using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://cygwin.com/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: cygwin.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
 > HEAD / HTTP/2
 > Host: cygwin.com
 > User-Agent: curl/8.6.0
 > Accept: */*
 >
< HTTP/2 200
HTTP/2 200
< date: Tue, 19 Mar 2024 17:32:27 GMT
date: Tue, 19 Mar 2024 17:32:27 GMT
< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.74 
mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.74 
mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
< vary: User-Agent,Accept-Encoding
vary: User-Agent,Accept-Encoding
< accept-ranges: bytes
accept-ranges: bytes
< content-security-policy: default-src 'self' http: https:
content-security-policy: default-src 'self' http: https:
< strict-transport-security: max-age=16070400
strict-transport-security: max-age=16070400
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8

<
* Connection #0 to host cygwin.com left intact

Suggest you try to redownload and rerun setup-x86_64,
reinstall the latest ca-certificates-letsencrypt and ca-certificates packages, 
check /var/log/setup.log.full, and rerun wc and cksum.

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 39DC03858425
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1710869976;
	bh=qwyGFgRpKfjtxN3YN34GGWns+QdMpmQCKOBu2Y7HK+Y=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	From;
	b=ytNuvTjHfcTDlJgDfLOUJ0qsw+KhYK7e/qMtybQ56q0FzDzKzUVIqWp72Gr+nv1ht
	8x2d3g23bMzKYLl+q2H3gdMpNA7M0dDv30ulWLqJkfi8WhjrzpqJ7syj4hOxVrvcvp
	xIoOMKm2tPTkLx3MSrebu1vdBqlN4R/nyrIjZgqw=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 79B503858D1E
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 79B503858D1E
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1710869956; cv=none;
	b=E/Fzf596ROHQQsTC7gg6hH7H1VckCo0rAvJRwx6V+q7WIGWGGi0rZ+TVPInAU2ZOuJEAtyxa9Y4CYs3pJGGdaOe6T1YS/PfTlVHYs59aQvSKYGpw/BNvnb+PJD5QX9Lmb68wz9YF0LAK6xE/FTCyz+VaHtTkawjWQZ9LtUl4cNY=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1710869956; c=relaxed/simple;
	bh=r6SN182Z2tG9Si/H22cUMbTqTkyL9RcsxtO/auM0IqY=;
	h=Message-ID:Date:MIME-Version:From:Subject:To;
	b=IX0Ty3cTN+zuIoyPWmYsnp0rBg6bicZaMhLxTUVPHJcYpGFE2KoWxs8QlF0+50D7xh7gPKEr5oQSoqLmXLFRrYSkUe0Bo98vbaat3qq18q9RCo4RL+bt2bfE553lmodHa4RQWwo7sPTtTXWtx2Oo5N1uojfBbUbyTLedc2Rnu/8=
ARC-Authentication-Results:	i=1; server2.sourceware.org
Message-ID:	<262b6dbc-fe19-4453-8546-55985021a567@systematicsw.ab.ca>
Date:	Tue, 19 Mar 2024 11:39:10 -0600
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: Getting error 60 of curl to cygwin setup
To:	cygwin AT cygwin DOT com
References:	<CAL8MddVRquNVBMfCtzrLGmrthHHGoyUw9Qfkqg_S6f0FOxJXUg AT mail DOT gmail DOT com>
	<a56e15dd-1ecf-42f5-ac98-e027d358cf41 AT SystematicSW DOT ab DOT ca>
	<CAL8MddUQKYhq3Ag12OYTbxFeGX-8VHriacYj5p4jCwe1Rw0COg AT mail DOT gmail DOT com>
	<b974409a-308f-4ed8-b344-7a94fcc22601 AT SystematicSW DOT ab DOT ca>
	<CAL8MddXD4r6UgM=TGk2DnMGYhi4_knTGc2qwGAPM+SCnrPO9sA AT mail DOT gmail DOT com>
Organization:	Systematic Software
In-Reply-To:	<CAL8MddXD4r6UgM=TGk2DnMGYhi4_knTGc2qwGAPM+SCnrPO9sA@mail.gmail.com>
X-Rspamd-Queue-Id:	E3E8920016
X-Spam-Status:	No, score=0.1 required=5.0 tests=BAYES_00, KAM_BADIPHTTP,
	KAM_DMARC_STATUS, KAM_SHORT, NORMAL_HTTP_TO_IP, NUMERIC_HTTP_ADDR,
	RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,
	SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE,
	UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6
X-Stat-Signature:	zmn3baop31sbkfwiuk7k4z11jhkx5pb8
X-Rspamd-Server:	rspamout04
X-Session-Marker:	427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID:	U2FsdGVkX1+ewGcKuDisfAGVjT1YPODTLvTpbe6dvJ8=
X-HE-Tag:	1710869950-207009
X-HE-Meta:	U2FsdGVkX1/JYpKJGsstOBwN20vtlo3SMGk9dY/wMjqaktAKDkurUNX7SHy2WWDQeoYrd4LXLaWSR8imwVYx8kPB91FF2aZJg+ATbX6ruNtruSkkw8p2RxP7VXZ3ej6zAXfsZA9d1v04XB6Ek8RWvKfau4U2VqAhA/VbAQCpDb6OjFYWrplNntmfc9XaRKI58UvhJp+h0N8dlVAf9QHjwJnHv91u9i0CUfHpr1Y04DFoNyb2+f0Znso+9RxgIcSL8ByxzuKN2eWD/JZU5/XWYvICizueZYMgLnXGfpfrXBJDCB1pWtx4kSIbFZK2LdyYV4Cx6dsWZUoS4LyREhD+h5JLBogp/hjtPAFcDJZo9OJdc5osUSZpj7QlWVmlsp4kLQZqveoo2aGwjxoJUGivWRVxfQDi2gxhAUFvpgDuxViQdzcsrcnPMw1gjM4RNwllwMDMGu8+viMf034wYwYMAqT4RFDV9YbA7faTP/Hm1zU0jRMh9NdjgZcwpKlH2TBdqEOQ744W/Hlvn2zJhLTJ0ZGB7ikQAG1SFn9CmGheCxRJYlDDhLkGgNZKtJgRz0K41MPHFZKRhYqeH/18DtcMz1pBh24JcKXatWpKwxeM4pPkYXsdcg0ldfkzzHuQNzjevqnTkcv3UUdDTF8VFO3prc99IR0Sxn52O30DhrW2wfk=
X-Spam-Checker-Version:	SpamAssassin 3.4.6 (2021-04-09) on
	server2.sourceware.org
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	cygwin AT cygwin DOT com
Cc:	Brian Inglis <Brian DOT Inglis AT systematicsw DOT ab DOT ca>
Errors-To:	cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 42JHdcfE819441

webmaster	delorie software privacy
Copyright � 2019 by DJ Delorie	Updated Jul 2019