x1337807x has joined #rubygems
huoxito has quit [Remote host closed the connection]
huoxito has joined #rubygems
havenwood has quit []
dvu has quit [Remote host closed the connection]
dvu has joined #rubygems
djbkd has quit [Remote host closed the connection]
djbkd has joined #rubygems
havenwood has joined #rubygems
x1337807x has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
siruf has quit [Ping timeout: 255 seconds]
siruf has joined #rubygems
x1337807x has joined #rubygems
dvu has quit [Remote host closed the connection]
siruf has quit [Ping timeout: 255 seconds]
siruf has joined #rubygems
vlad_starkov has quit [Ping timeout: 240 seconds]
siruf has quit [Ping timeout: 264 seconds]
havenwood has quit [Remote host closed the connection]
vlad_starkov has joined #rubygems
siruf has joined #rubygems
ckrailo has quit [Ping timeout: 260 seconds]
shtirlic has quit [Ping timeout: 260 seconds]
redmenace has quit [Ping timeout: 291 seconds]
henrikhodne has quit [Ping timeout: 257 seconds]
vertis has quit [Ping timeout: 257 seconds]
Emily has quit [Ping timeout: 257 seconds]
yo61 has quit [Ping timeout: 257 seconds]
davispuh has quit [Ping timeout: 250 seconds]
ckrailo_ has joined #rubygems
ckrailo_ is now known as ckrailo
_redmenace has joined #rubygems
siruf has quit [Ping timeout: 245 seconds]
vertis has joined #rubygems
Emily has joined #rubygems
yo61 has joined #rubygems
shtirlic has joined #rubygems
siruf has joined #rubygems
siruf has quit [Changing host]
siruf has joined #rubygems
bbrowning_ has joined #rubygems
bbrowning_away has quit [Ping timeout: 264 seconds]
eric__ has quit [Quit: Connection closed for inactivity]
x1337807x has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
djbkd has quit [Quit: My people need me...]
x1337807x has joined #rubygems
swills has quit [Changing host]
swills has joined #rubygems
henrikhodne has joined #rubygems
tenderlove has quit [Quit: Leaving...]
x1337807x has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
havenwood has joined #rubygems
x1337807x has joined #rubygems
carols10cents has quit [Ping timeout: 240 seconds]
carols10cents has joined #rubygems
jstr has quit [Quit: Computer has gone to sleep.]
huoxito has quit [Remote host closed the connection]
huoxito has joined #rubygems
huoxito has quit [Ping timeout: 264 seconds]
dwknoxy has quit [Quit: Textual IRC Client: www.textualapp.com]
nrsk has joined #rubygems
dbussink has quit [Excess Flood]
dbussink has joined #rubygems
dbussink has quit [Excess Flood]
huoxito has joined #rubygems
tiagonobre_ has quit [Ping timeout: 275 seconds]
jesser has quit [Ping timeout: 275 seconds]
jhass has quit [Ping timeout: 244 seconds]
huoxito has quit [Ping timeout: 258 seconds]
tiagonobre__ has joined #rubygems
jesser_ has joined #rubygems
jhass has joined #rubygems
tiagonobre__ is now known as tiagonobre_
jesser_ is now known as jesser
shtirlic has quit [Ping timeout: 455 seconds]
siruf has quit [Write error: Broken pipe]
_whitelogger has joined #rubygems
x1337807x has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
jstr has joined #rubygems
jstr has quit [Client Quit]
ur5us has joined #rubygems
ur5us has quit [Remote host closed the connection]
dgheath21 has joined #rubygems
wm3|busy has joined #rubygems
huoxito has joined #rubygems
dgheath21 has quit [Quit: dgheath21]
huoxito has quit [Ping timeout: 245 seconds]
havenwood has quit []
dgheath21 has joined #rubygems
dgheath21 has quit [Client Quit]
wm3|busy is now known as workmad3
silverdust is now known as bl4ckdu5t
_elia has joined #rubygems
_elia has quit [Client Quit]
_elia has joined #rubygems
_elia has quit [Client Quit]
_elia has joined #rubygems
_elia has quit [Remote host closed the connection]
_elia has joined #rubygems
_elia has quit [Client Quit]
_elia has joined #rubygems
dangerousdave has joined #rubygems
workmad3 is now known as wm3|away
bbrowning_ is now known as bbrowning
_redmenace is now known as redmenace
wm3|away is now known as workmad3
huoxito has joined #rubygems
huoxito has quit [Remote host closed the connection]
huoxito has joined #rubygems
mkristian has joined #rubygems
dangerousdave has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
tbuehlmann has quit [Quit: Leaving]
bradland has quit [Quit: bradland]
dangerousdave has joined #rubygems
bradland has joined #rubygems
dangerousdave has quit [Client Quit]
dwknoxy has joined #rubygems
dangerousdave has joined #rubygems
mkristian_ has joined #rubygems
mkristian_ has quit [Client Quit]
tbuehlmann has joined #rubygems
dangerousdave has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
nrsk has quit [Quit: KVIrc 4.3.1 Aria http://www.kvirc.net/]
tenderlove has joined #rubygems
havenwood has joined #rubygems
imperator has joined #rubygems
huoxito has quit [Remote host closed the connection]
dvu has joined #rubygems
huoxito has joined #rubygems
huoxito has quit [Ping timeout: 264 seconds]
workmad3 has quit [Ping timeout: 244 seconds]
mkristian has quit [Ping timeout: 244 seconds]
_elia has quit [Quit: Computer has gone to sleep.]
nrsk has joined #rubygems
dvu has quit [Remote host closed the connection]
MichaelSmith has joined #rubygems
luislavena has joined #rubygems
<luislavena> drbrain: samkottler: any of you can revert the SSL change pushed by David Radcliffe?
workmad3 has joined #rubygems
x1337807x has joined #rubygems
x1337807x has quit [Max SendQ exceeded]
x1337807x has joined #rubygems
djbkd has joined #rubygems
workmad3 has quit [Ping timeout: 245 seconds]
dvu has joined #rubygems
<dwradcliffe> luislavena: rolled back
<luislavena> dwradcliffe: thank you
<luislavena> I believe I tried to explain the issue with the new cert, but maybe didn't explain myself properly, apologies for that.
<dwradcliffe> no, I forgot that you need rubygems to update rubygems
<dwradcliffe> I was trying to get it done before the new Chrome is shipped
<dwradcliffe> I don't have windows so I can't test the latest versions
<luislavena> dwradcliffe: that will only be a problem for chrome users, correct?
<luislavena> since most of the operations happens via the command line, I think that is better to be working 100%
<luislavena> I can update the 1.8.x and 2.2.x branches to allow users on those versions to update
<luislavena> but will require someone to release the rubygems-update gem for those versions
x1337807x has quit [Ping timeout: 255 seconds]
mkristian has joined #rubygems
<luislavena> dwradcliffe: don't have access to that slack room
<dwradcliffe> doh, didn't realize that was private
<luislavena> dwradcliffe: I'm not saying that is ideal leave that for a long time, I tried to offer a plan to roll that out.
<luislavena> but seems Eric and Evan are not responsive as they used to be.
<dwradcliffe> we're stuck between a rock and hard place here
<dwradcliffe> there's no way we will get everyone to update rubygems in a week
<luislavena> dwradcliffe: I can update the different versions of Rubygems, but someone will need to do a release.
<luislavena> dwradcliffe: I can provide instructions for a workaround, at least to the Windows folk
<luislavena> *folks
<dwradcliffe> Eric did a release last night
<luislavena> but just for 2.4.x
<luislavena> Windows users cannot use 2.4.x, is broken.
<dwradcliffe> oh right
<luislavena> lot of FUN
<luislavena> :D
<dwradcliffe> indeed
<dwradcliffe> well if you can get the code ready, hopefully Eric can do a release later
<dwradcliffe> but we might still have a problem even with the new certs?
<lucas> mp
<lucas> oops
huoxito has joined #rubygems
<luislavena> dwradcliffe: I'm doing the 1.8.x code now, just the backport of the new cert
<luislavena> is staging.rubygems.org running the new certs?
<luislavena> I can test that out.
<dwradcliffe> Yes
<luislavena> ok, going to test that first and then push my commits, then is up to Eric to perform the release
<dwradcliffe> You won't be able to download gems because you don't have credentials. But ssl connection should work.
nrsk has quit [Quit: KVIrc 4.3.1 Aria http://www.kvirc.net/]
x1337807x has joined #rubygems
<luislavena> dwradcliffe: just to check for outdated or something like that will be enough.
<luislavena> testing in a minute
djbkd has quit [Remote host closed the connection]
djbkd has joined #rubygems
<MichaelSmith> What's broken about Windows 2.4.x?
dvu has quit [Remote host closed the connection]
<luislavena> dwradcliffe: is there a way you can drop http basic auth on staging for me to test briefly?
mkristian has quit [Ping timeout: 245 seconds]
<MichaelSmith> Should the certs in lib/rubygems/ssl_certs work with staging.rubygems.org right now?
elia has joined #rubygems
elia has quit [Quit: Computer has gone to sleep.]
bbrowning has quit [Ping timeout: 264 seconds]
bbrowning has joined #rubygems
<luislavena> MichaelSmith: those should work, yes, as long you have an updated version of OpenSSL libs
bbrowning_ has joined #rubygems
bbrowning has quit [Ping timeout: 255 seconds]
bbrowning_ is now known as bbrowning
<luislavena> that is when tested using certs in master against the different servers
<luislavena> OpenSSL 1.0.0o
<dwradcliffe> I'm mobile right now
<MichaelSmith> I ran into something similar, https://gist.github.com/MikaelSmith/29f9e662c10cc68ed988
dvu has joined #rubygems
<MichaelSmith> Tried both Mac OS X 10.10 and Windows 10.
<dwradcliffe> Very odd
<dwradcliffe> I'll test when I get home
<luislavena> MichaelSmith: it is possible the issue is caused by both certs respond to the same Common Name and the first one loaded is the one that takes priority.
<MichaelSmith> Could the order they're loaded by OS-dependent?
<luislavena> MichaelSmith: glob is OS-dependent
<luislavena> but I just tried removing the old certs and check only against staging and the error still persist.
<luislavena> so is not that
dangerousdave has joined #rubygems
dvu has quit [Remote host closed the connection]
dangerousdave has quit [Client Quit]
dvu has joined #rubygems
djbkd has quit [Remote host closed the connection]
tcopeland1 has joined #rubygems
tcopeland has quit [Ping timeout: 256 seconds]
dwknoxy is now known as dknox-bbl
sj26 has quit [Ping timeout: 265 seconds]
sj26 has joined #rubygems
djbkd has joined #rubygems
dvu has quit [Remote host closed the connection]
tbuehlmann has quit [Remote host closed the connection]
dangerousdave has joined #rubygems
dangerousdave has quit [Client Quit]
djbkd has quit [Remote host closed the connection]
dangerousdave has joined #rubygems
djbkd has joined #rubygems
dangerousdave has quit [Client Quit]
dangerousdave has joined #rubygems
dangerousdave has quit [Client Quit]
dvu has joined #rubygems
dangerousdave has joined #rubygems
<luislavena> drbrain: ping?
<drbrain> luislavena: pong
<luislavena> drbrain: I'm not sure about what others are reporting, but the upgrade to the new cert broke everybody's existing installation
<drbrain> yep
<drbrain> but I'm unsure why
<luislavena> I left only the certs you added last night and tried against staging.rubygems.org and still got certificate failure
<drbrain> dwradcliffe: ↑ the staging servers certificates are representative of the new certificates we're having problems with?
<luislavena> drbrain: yes, the staging has the same certs CN=*.rubygems.org
<dwradcliffe> drbrain: yes
dangerousdave has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<drbrain> I think we need to keep the whole set, not just the new three
<drbrain> but, I guess we are missing some
<luislavena> when I had the whole set, same error.
<drbrain> I should wrap util/update_bundled_ca_certificates.rb into a rake task
<luislavena> first I thought was the OpenSSL X509 store taking on the CN to identify and load unique certs
<luislavena> so that is why I removed the old ones to verify.
<drbrain> the update script says we need these four:
<drbrain> AddTrustExternalCARoot.pem
<drbrain> Class3PublicPrimaryCertificationAuthority.pem
<drbrain> DigiCertHighAssuranceEVRootCA.pem
<drbrain> GeoTrustGlobalCA.pem
<drbrain> but AddTrust changed
<drbrain> luislavena: can you try this set of certificates: https://gist.github.com/drbrain/117192e81e718bd94042
<mpapis> drbrain, you alive! got time to look into a PR of mine for RG?
<dwradcliffe> drbrain: I think those work
<luislavena> that worked
<drbrain> mpapis: not right now
<luislavena> I think we were missing one.
<mpapis> drbrain, when you have time https://github.com/rubygems/rubygems/pull/1041
<luislavena> this is what openssl -showcerts was telling me: verify error:num=20:unable to get local issuer certificate
bbrowning is now known as bbrowning_away
<drbrain> dwradcliffe: besides adding staging.rubygems.org, do you see any other hosts we might want to talk to here:
<luislavena> drbrain: the certs you gave me in the gist have sha1WithRSAEncryption signature?
<drbrain> luislavena: let me check
<MichaelSmith> With those certs it doesn't throw an exception, but I get #<Net::HTTPUnauthorized 401 Unauthorized readbody=true>
<dwradcliffe> drbrain: I don't think so, LGTM
<dwradcliffe> MichaelSmith: that's expected. Staging is locked down :)
<MichaelSmith> Ok, thanks.
<luislavena> dwradcliffe: I was unable to run some SSL assessment against staging to figure out the missing CA in the chain: https://dev.ssllabs.com/ssltest/analyze.html?d=staging.rubygems.com&hideResults=on
<drbrain> luislavena: you want .org
<luislavena> (facepalm)
<dwradcliffe> only the root is SHA1
<drbrain> there must be a bug in my checking script if the COMODO certificates aren't showing up
<luislavena> dwradcliffe: do you have the chain/bundle certs used?
<dwradcliffe> I do
<drbrain> ah, right, AddTrust is the root
<drbrain> so we shouldn't need the COMODO certificates at all
<drbrain> they're included in the certificate chain sent by the browser
<luislavena> drbrain: but is needed when you're using the client and doesn't have them.
<luislavena> I got all the certs in the chain, for some reason the certs I got are not the ones in the repo right now
<luislavena> looks the same, however it no longer fails with those.
<luislavena> I grab the chain from here: https://ssl-tools.net/webservers/staging.rubygems.org
<drbrain> luislavena: and if you delete the COMODO intermediate certificates does it then fail?
<luislavena> yes
<drbrain> on staging.rubygems.org?
<luislavena> yup
<drbrain> o_O
<drbrain> hrm
<luislavena> I'm trying to build the list of differences between the certs in master and the ones I just grabbed
<luislavena> (beyond the patch diffs)
<drbrain> luislavena: this diff works with the command in the title for me:
<drbrain> luislavena: also:
<drbrain> $ ruby -ropenssl -e 'p OpenSSL::OPENSSL_VERSION'
<drbrain> "OpenSSL 1.0.1i 6 Aug 2014"
dvu has quit [Remote host closed the connection]
<luislavena> drbrain: there are changes in the AddTrustExternalCARoot.pem
<drbrain> luislavena: we definitely need AddTrust but I don't think we should need the COMODO certificates
<luislavena> I think that is what is allowing it to work.
<drbrain> possibly
<luislavena> having the certs locally will reduce the handshake for fetching the chain
<drbrain> but it may be two certificates for the same key
<luislavena> *when fetching
MichaelSmith has quit [Ping timeout: 265 seconds]
<luislavena> the diff in the Root CA is between sha1 and sha384
<drbrain> and in the key size
<drbrain> 2048 vs 4096
<luislavena> yup
<drbrain> we probably want the checked-in key
<drbrain> what OpenSSL do you have?
<luislavena> 1.0.1j
<drbrain> newer than me
<luislavena> ok, so the problem was the root CA, if we fix that, can we do a release for major versions out there?
dknox-bbl is now known as dknox
<luislavena> I can send the pull requests with the fix and removal of the COMODO chain certs
<dwradcliffe> that doesn't break the old cert, does it?
<luislavena> dwradcliffe: with drbrain patch applied, the check certs pass on all servers (s3, rubygems.org, cloudfront and staging)
<dwradcliffe> ok good
<drbrain> dwradcliffe: rubygems.org's root is GeoTrust Global CA
<drbrain> I think I should leave both AddTrust root certificates in rubygems though
<luislavena> drbrain: yes, as transition :)
<drbrain> they both have the same validity
<dwradcliffe> ssl-tools.net says the root is sha1
<dwradcliffe> was the old AddTrust sha384?
<drbrain> dwradcliffe: yes, but that is OK per google as the trust is not of the same type
<drbrain> dwradcliffe: yes
<dwradcliffe> ah
<dwradcliffe> now I understand
dvu has joined #rubygems
<drbrain> "Note: SHA-1-based signatures for trusted root certificates are not a problem because TLS clients trust them by their identity, rather than by the signature of their hash."
<dwradcliffe> yep
<dwradcliffe> (wasn't questioning that, just didn't realize the old root was sha384)
<drbrain> I think the "old" root is really a "new" root
<luislavena> do you want me to commit this change and backport to both 1.8 and 2.2 branches?
<drbrain> luislavena: sure
<luislavena> drbrain: not going to commit your commented line in the request ;-)
<drbrain> luislavena: can you name the replaced AddTrust something like AddTrust…2048.pem
<drbrain> luislavena: thanks!
<luislavena> drbrain: sure!
<drbrain> that way we have both AddTrust certs lying around Just In Case
<dwradcliffe> thanks guys!
<drbrain> I can re-release tonight
<dwradcliffe> I'll wait as long as I can to re-deploy the cert
imperator has quit [Quit: Leaving]
<drbrain> I wonder if my fastly requests will show up in today's traffic report
<luislavena> with your permission I would like to backport those to 1.8 and 2.0 and 2.2 branches so can be used.
<drbrain> luislavena: permission granted!
<luislavena> drbrain: thank you :)
<drbrain> luislavena: but you're a committer so you don't even need my permission
<luislavena> drbrain: I'm afraid to touch without asking :D
<drbrain> it's nothing a revert won't fix!
<luislavena> drbrain: btw, I've added a Windows CI to run rubygems test: https://ci.appveyor.com/project/luislavena/rubygems
<drbrain> I saw!
<luislavena> right now is failing due some gem stuff that I need to fix :(
<luislavena> been with some personal matters to attend so OSS has been down in the list
havenwood has quit [Remote host closed the connection]
<drbrain> I've been enjoying my new job
djbkd has quit [Remote host closed the connection]
_djbkd has joined #rubygems
MichaelS_ has joined #rubygems
<luislavena> drbrain: happy to hear that :)
<luislavena> drbrain: guess not doing much OSS there, right?
<luislavena> or you want to hand over the torch on RubyGems to someone else?
<drbrain> no, but the possibility exists
<drbrain> rubygems is pretty stable nowadays
<drbrain> I do need to go through the bugs again, though
<luislavena> drbrain: yeah, every week I get one or two complains about 2.4.x on Windows :(
<luislavena> I just cannot find the time :'(
_djbkd has quit [Remote host closed the connection]
<drbrain> it can't be that hard to fix
<drbrain> but same
djbkd has joined #rubygems
<luislavena> drbrain: should I update history on every branch with this changes?
<drbrain> I did for the security releases
<drbrain> master's History.txt should have all the releases in it
<luislavena> roger that ;-)
<luislavena> drbrain: 1.8, 2.0 and 2.2 branches updated
<luislavena> (also master)
<drbrain> cool
<luislavena> I left the date for the releases out, so I think that is the only thing to be done
<luislavena> (and forgot to bump version) :(
<luislavena> oh, so rusty :P
<drbrain> ha, LOL a bunch of failures due to being unable to contact rubygems.org
dvu has quit [Remote host closed the connection]
<luislavena> :D
dvu_ has joined #rubygems
<dwradcliffe> bad timing
<dwradcliffe> it's our daily outage
havenwood has joined #rubygems
<luislavena> dwradcliffe: long live AWS?
<dwradcliffe> redis is the problem
<luislavena> dwradcliffe: we also suffer it at some projects at work
<luislavena> nothing pleases redis
<luislavena> high IO instances, tons of ram, SSD drives, nothing is enough for him :P
<dwradcliffe> daily backup pushes it over the edge. hopefully working on fixing that this week
luislavena has quit []