Re: [EXTERNAL] [edk2-devel] [edk2-rfc] GitHub Pull Request based Code Review Process

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, rebecca@bsdio.com, rfc@edk2.groups.io,
	Bret Barkelew <Bret.Barkelew@microsoft.com>,
	Andrew Fish <afish@apple.com>
Cc: "spbrogan@outlook.com" <spbrogan@outlook.com>,
	"Desimone, Nathaniel L" <nathaniel.l.desimone@intel.com>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Leif Lindholm (Nuvia address)" <leif@nuviainc.com>
Subject: Re: [EXTERNAL] [edk2-devel] [edk2-rfc] GitHub Pull Request based Code Review Process
Date: Wed, 27 May 2020 20:32:37 +0200	[thread overview]
Message-ID: <bddab497-d758-9aba-47dd-8142c65f95a0@redhat.com> (raw)
In-Reply-To: <af2b30b8-268d-c179-10fe-6185d1a67017@bsdio.com>

On 05/28/20 00:07, Rebecca Cran wrote:

> I also tried using my openSUSE WSL installation, but it failed with:
> 
> STARTTLS failed! SSL connect attempt failed error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed at
> /usr/lib/git/git-send-email line 1548.

That's different -- in this case, peer certificate verification was
attempted, but it failed, because the root certificate in the peer's
cert chain is not trusted by your system (your openSUSE WSL environment).

The fix for that should be identical to what you'd do on a standalone
openSUSE installation -- (1) figure out what CA cert is the root of the
peer's cert chain, and (2) decide consciously whether you trust that CA
cert to sign other certificates, (3) import said CA cert persistently
into your "store of trusted CA certs".

Examples:

(1) I think one command that works is:

$ openssl s_client -showcerts -connect HOST:PORT </dev/null

(2) up to you :)

(3a) On RHEL, this would mean copying the CA certificate under
"/etc/pki/ca-trust/source/anchors/", in PEM format, and then running the
"update-ca-trust extract" command. (Both actions need root (uid=0)
access, of course.)

(3b) For a user session (i.e., not system-wide), git-send-email also
takes "--smtp-ssl-cert-path":

       --smtp-ssl-cert-path
           Path to a store of trusted CA certificates for SMTP SSL/TLS
           certificate validation (either a directory that has been
           processed by c_rehash, or a single file containing one or
           more PEM format certificates concatenated together: see
           verify(1) -CAfile and -CApath for more information on
           these). Set it to an empty string to disable certificate
           verification. Defaults to the value of the
           sendemail.smtpsslcertpath configuration variable, if set,
           or the backing SSL library's compiled-in default otherwise
           (which should be the best choice on most platforms).

Thanks
Laszlo

     prev parent reply	other threads:[~2020-05-27 18:32 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-19  7:21 [edk2-devel] [edk2-rfc] GitHub Pull Request based Code Review Process Nate DeSimone
2020-05-19  8:39 ` Laszlo Ersek
2020-05-19 18:02   ` Nate DeSimone
2020-05-19 16:54 ` Sean
2020-05-19 18:02   ` Nate DeSimone
2020-05-19 19:34     ` Bret Barkelew
2020-05-19 19:59       ` Nate DeSimone
2020-05-19 20:10         ` Bret Barkelew
2020-05-19 21:02           ` Nate DeSimone
2020-05-19 21:07             ` Bret Barkelew
2020-05-20 17:05             ` Laszlo Ersek
2020-05-20 17:21               ` Sean
2020-05-22  1:56                 ` Andrew Fish
2020-05-20 21:53           ` Laszlo Ersek
2020-05-22  5:31             ` [EXTERNAL] " Bret Barkelew
2020-05-19 21:22       ` Laszlo Ersek
2020-05-19 21:35         ` Nate DeSimone
2020-05-19 21:38           ` Bret Barkelew
2020-05-19 20:41   ` Laszlo Ersek
2020-05-19 22:25     ` Sean
2020-05-21 13:30       ` Laszlo Ersek
2020-05-21 17:53         ` Sean
2020-05-22  2:59         ` Andrew Fish
2020-05-22  5:48           ` [EXTERNAL] " Bret Barkelew
2020-05-22 17:20             ` Laszlo Ersek
2020-05-25  4:09             ` [EXTERNAL] " Andrew Fish
2020-05-25 18:10               ` Laszlo Ersek
2020-05-25 18:28                 ` Andrew Fish
2020-05-26 11:17                   ` Laszlo Ersek
2020-05-26 14:39                     ` Samer El-Haj-Mahmoud
2020-05-26 16:13                       ` Bret Barkelew
2020-05-27  1:52                   ` Bret Barkelew
2020-05-27  9:27                     ` Tomas Pilar (tpilar)
2020-05-27 12:12                     ` Laszlo Ersek
2020-05-27 22:07                       ` Rebecca Cran
2020-05-27 17:39                         ` Andrew Fish
2020-05-27 17:45                         ` Bret Barkelew
2020-05-28  6:57                           ` Bret Barkelew
2020-05-27 18:32                         ` Laszlo Ersek [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bddab497-d758-9aba-47dd-8142c65f95a0@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox