[Bug 1634346] Re: https://entropy.ubuntu.com lacks Perfect Forward Secrecy (PFS) and has certificate chain issues

Dustin Kirkland  dustin.kirkland at gmail.com
Tue Jan 10 14:51:35 UTC 2017 

I instrumented /usr/sbin/pollinate to display the trace information:

⟫ sudo pollinate -r
<13>Jan 10 16:50:43 pollinate[8877]: system was previously seeded at [2017-01-10 16:48:43.103906490 +0200]
<13>Jan 10 16:50:43 pollinate[8877]: client sent challenge to [https://entropy.ubuntu.com/]
<13>Jan 10 16:50:44 pollinate[8877]: client verified challenge/response with [https://entropy.ubuntu.com/]
<13>Jan 10 16:50:44 pollinate[8877]: client hashed response from [https://entropy.ubuntu.com/]
<13>Jan 10 16:50:44 pollinate[8877]: client successfully seeded [/dev/urandom]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     016:50:43.176650 *   Trying 91.189.94.24...
16:50:43.355617 * Connected to entropy.ubuntu.com (91.189.94.24) port 443 (#0)
16:50:43.355891 * found 2 certificates in /etc/pollinate/entropy.ubuntu.com.pem
16:50:43.355909 * found 0 certificates in /dev/null
16:50:43.355959 * ALPN, offering http/1.1
16:50:43.960703 * SSL connection using TLS1.2 / DHE_RSA_AES_128_GCM_SHA256
16:50:43.961323 *        server certificate verification OK
16:50:43.961343 *        server certificate status verification SKIPPED
16:50:43.961471 *        common name: entropy.ubuntu.com (matched)
16:50:43.961489 *        server certificate expiration date OK
16:50:43.961504 *        server certificate activation date OK
16:50:43.961527 *        certificate public key: RSA
16:50:43.961541 *        certificate version: #3
16:50:43.961592 *        subject: C=GB,L=London,O=Canonical Group Ltd,CN=entropy.ubuntu.com
16:50:43.961611 *        start date: Fri, 22 Jul 2016 00:00:00 GMT
16:50:43.961638 *        expire date: Tue, 05 Sep 2017 12:00:00 GMT
16:50:43.961672 *        issuer: C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA
16:50:43.961698 *        compression: NULL
16:50:43.961712 * ALPN, server did not agree to a protocol
16:50:43.961794 > POST / HTTP/1.1
16:50:43.961794 > Host: entropy.ubuntu.com
16:50:43.961794 > User-Agent: pollinate/4.24-0ubuntu1 curl/7.47.0-1ubuntu2.2 cloud-init/ Ubuntu/16.04.1/LTS GNU/Linux/4.4.0-57-generic/x86_64 Intel(R)/Core(TM)/i7-5600U/CPU/@/2.60GHz uptime/224399.63/367735.05
16:50:43.961794 > Accept: */*
16:50:43.961794 > Content-Length: 138
16:50:43.961794 > Content-Type: application/x-www-form-urlencoded
16:50:43.961794 > 
16:50:43.961876 } [138 bytes data]
16:50:43.961900 * upload completely sent off: 138 out of 138 bytes
16:50:44.143388 < HTTP/1.1 200 OK
16:50:44.143424 < Date: Tue, 10 Jan 2017 14:50:46 GMT
16:50:44.143435 < Content-Length: 258
16:50:44.143446 < Content-Type: text/plain; charset=utf-8
16:50:44.143456 < X-Cache: MISS from okra
16:50:44.143465 < X-Cache-Lookup: MISS from okra:3128
16:50:44.143475 < Via: 1.1 okra (squid/3.3.8)
16:50:44.143485 < Connection: keep-alive
16:50:44.143495 < 
 34   396    0     0  100   138      0    140 --:--:-- --:--:-- --:--:--   14016:50:44.143570 { [258 bytes data]
100   396  100   258  100   138    263    140 --:--:-- --:--:-- --:--:--   263
16:50:44.143628 * Connection #0 to host entropy.ubuntu.com left intact

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to pollen in Ubuntu.
https://bugs.launchpad.net/bugs/1634346

Title:
  https://entropy.ubuntu.com lacks Perfect Forward Secrecy (PFS) and has
  certificate chain issues

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pollen/+bug/1634346/+subscriptions

More information about the Ubuntu-server-bugs mailing list