From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, rebecca@bsdio.com, rfc@edk2.groups.io,
Bret Barkelew <Bret.Barkelew@microsoft.com>,
Andrew Fish <afish@apple.com>
Cc: "spbrogan@outlook.com" <spbrogan@outlook.com>,
"Desimone, Nathaniel L" <nathaniel.l.desimone@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Leif Lindholm (Nuvia address)" <leif@nuviainc.com>
Subject: Re: [EXTERNAL] [edk2-devel] [edk2-rfc] GitHub Pull Request based Code Review Process
Date: Wed, 27 May 2020 20:32:37 +0200 [thread overview]
Message-ID: <bddab497-d758-9aba-47dd-8142c65f95a0@redhat.com> (raw)
In-Reply-To: <af2b30b8-268d-c179-10fe-6185d1a67017@bsdio.com>
On 05/28/20 00:07, Rebecca Cran wrote:
> I also tried using my openSUSE WSL installation, but it failed with:
>
> STARTTLS failed! SSL connect attempt failed error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed at
> /usr/lib/git/git-send-email line 1548.
That's different -- in this case, peer certificate verification was
attempted, but it failed, because the root certificate in the peer's
cert chain is not trusted by your system (your openSUSE WSL environment).
The fix for that should be identical to what you'd do on a standalone
openSUSE installation -- (1) figure out what CA cert is the root of the
peer's cert chain, and (2) decide consciously whether you trust that CA
cert to sign other certificates, (3) import said CA cert persistently
into your "store of trusted CA certs".
Examples:
(1) I think one command that works is:
$ openssl s_client -showcerts -connect HOST:PORT </dev/null
(2) up to you :)
(3a) On RHEL, this would mean copying the CA certificate under
"/etc/pki/ca-trust/source/anchors/", in PEM format, and then running the
"update-ca-trust extract" command. (Both actions need root (uid=0)
access, of course.)
(3b) For a user session (i.e., not system-wide), git-send-email also
takes "--smtp-ssl-cert-path":
--smtp-ssl-cert-path
Path to a store of trusted CA certificates for SMTP SSL/TLS
certificate validation (either a directory that has been
processed by c_rehash, or a single file containing one or
more PEM format certificates concatenated together: see
verify(1) -CAfile and -CApath for more information on
these). Set it to an empty string to disable certificate
verification. Defaults to the value of the
sendemail.smtpsslcertpath configuration variable, if set,
or the backing SSL library's compiled-in default otherwise
(which should be the best choice on most platforms).
Thanks
Laszlo
prev parent reply other threads:[~2020-05-27 18:32 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 7:21 [edk2-devel] [edk2-rfc] GitHub Pull Request based Code Review Process Nate DeSimone
2020-05-19 8:39 ` Laszlo Ersek
2020-05-19 18:02 ` Nate DeSimone
2020-05-19 16:54 ` Sean
2020-05-19 18:02 ` Nate DeSimone
2020-05-19 19:34 ` Bret Barkelew
2020-05-19 19:59 ` Nate DeSimone
2020-05-19 20:10 ` Bret Barkelew
2020-05-19 21:02 ` Nate DeSimone
2020-05-19 21:07 ` Bret Barkelew
2020-05-20 17:05 ` Laszlo Ersek
2020-05-20 17:21 ` Sean
2020-05-22 1:56 ` Andrew Fish
2020-05-20 21:53 ` Laszlo Ersek
2020-05-22 5:31 ` [EXTERNAL] " Bret Barkelew
2020-05-19 21:22 ` Laszlo Ersek
2020-05-19 21:35 ` Nate DeSimone
2020-05-19 21:38 ` Bret Barkelew
2020-05-19 20:41 ` Laszlo Ersek
2020-05-19 22:25 ` Sean
2020-05-21 13:30 ` Laszlo Ersek
2020-05-21 17:53 ` Sean
2020-05-22 2:59 ` Andrew Fish
2020-05-22 5:48 ` [EXTERNAL] " Bret Barkelew
2020-05-22 17:20 ` Laszlo Ersek
2020-05-25 4:09 ` [EXTERNAL] " Andrew Fish
2020-05-25 18:10 ` Laszlo Ersek
2020-05-25 18:28 ` Andrew Fish
2020-05-26 11:17 ` Laszlo Ersek
2020-05-26 14:39 ` Samer El-Haj-Mahmoud
2020-05-26 16:13 ` Bret Barkelew
2020-05-27 1:52 ` Bret Barkelew
2020-05-27 9:27 ` Tomas Pilar (tpilar)
2020-05-27 12:12 ` Laszlo Ersek
2020-05-27 22:07 ` Rebecca Cran
2020-05-27 17:39 ` Andrew Fish
2020-05-27 17:45 ` Bret Barkelew
2020-05-28 6:57 ` Bret Barkelew
2020-05-27 18:32 ` Laszlo Ersek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bddab497-d758-9aba-47dd-8142c65f95a0@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox