Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Carl Tietjen-2

Hello,

From the download site, https://www.openssl.org/source/ click the SHA256 link for the new releases.  The files do not contain SHA256 hashes.

FYI -- The SHA1 hashes seem to be ok -- I only checked one.

Thanks,

Carl

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Matt Caswell-2


On 11/09/2019 18:08, Carl Tietjen wrote:
> Hello,
>
> From the download site, https://www.openssl.org/source/ click the SHA256 link
> for the new releases.  The files do not contain SHA256 hashes.
>
> FYI -- The SHA1 hashes seem to be ok -- I only checked one.

These seem to be ok for me?

Matt

Reply | Threaded
Open this post in threaded view
|

RE: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Carl Tietjen-2

Weird. 

-- When I switch to download with Chrome, the files are fine.

-- I retested using my default browser (Firefox) and I am still seeing the issue.

-- I tried it with IE and also see the issue.

 

Can you verify the Firefox and IE downloads.

 

Carl

 

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Matt Caswell
Sent: Wednesday, September 11, 2019 11:10 AM
To: [hidden email]
Subject: Re: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

On 11/09/2019 18:08, Carl Tietjen wrote:

> Hello,

>

> From the download site, https://www.openssl.org/source/ click the

> SHA256 link for the new releases.  The files do not contain SHA256 hashes.

>

> FYI -- The SHA1 hashes seem to be ok -- I only checked one.

 

These seem to be ok for me?

 

Matt

 

Reply | Threaded
Open this post in threaded view
|

RE: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Michael Wojcik
I can confirm Carl's issue when I download using Pale Moon (a Firefox fork):

-----
$ file openssl-1.1.1d.tar.gz.sha256
openssl-1.1.1d.tar.gz.sha256: gzip compressed data, from FAT filesystem (MS-DOS,
 OS/2, NT)

$ file openssl-1.1.1d.tar.gz.sha1
openssl-1.1.1d.tar.gz.sha1: ASCII text

$ file openssl-1.1.1d.tar.gz.asc
openssl-1.1.1d.tar.gz.asc: PGP signature Signature (old)

$ gpg --verify  openssl-1.1.1d.tar.gz.asc  openssl-1.1.1d.tar.gz
gpg: Signature made 09/10/19 09:13:14 EDT using RSA key ID 0E604491
gpg: Good signature from "Matt Caswell <[hidden email]>" [full]
gpg:                 aka "Matt Caswell <[hidden email]>" [full]
-----

So the .sha1 file and the signature look fine, but the .sha256 file is apparently a fragment of gzip-compressed data. And ... let's see ... gunzip'ing it gives us the SHA256 hash in ASCII. So my guess the server is gzip'ing it (or it's gzip'ed at rest on the server), but the server isn't setting the content-transfer-encoding correctly. Chrome might be content-sniffing and decompressing based on that. I haven't looked at the response headers though.

(Personally, I always check the signature and don't bother with the posted hashes.)

--
Michael Wojcik
Distinguished Engineer, Micro Focus


Reply | Threaded
Open this post in threaded view
|

Re: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Richard Levitte - VMS Whacker-2
Issue found...  Apache detected .gz in the file name and set the
encoding to 'application/x-gzip'...  Apparently, we already force .asc
and .sha1 files to application/binary, but have apparently not added a
similar directive for .sha256 files.

Now done.

Cheers,
Richard

On Wed, 11 Sep 2019 22:04:53 +0200,
Michael Wojcik wrote:

>
> I can confirm Carl's issue when I download using Pale Moon (a Firefox fork):
>
> -----
> $ file openssl-1.1.1d.tar.gz.sha256
> openssl-1.1.1d.tar.gz.sha256: gzip compressed data, from FAT filesystem (MS-DOS,
>  OS/2, NT)
>
> $ file openssl-1.1.1d.tar.gz.sha1
> openssl-1.1.1d.tar.gz.sha1: ASCII text
>
> $ file openssl-1.1.1d.tar.gz.asc
> openssl-1.1.1d.tar.gz.asc: PGP signature Signature (old)
>
> $ gpg --verify  openssl-1.1.1d.tar.gz.asc  openssl-1.1.1d.tar.gz
> gpg: Signature made 09/10/19 09:13:14 EDT using RSA key ID 0E604491
> gpg: Good signature from "Matt Caswell <[hidden email]>" [full]
> gpg:                 aka "Matt Caswell <[hidden email]>" [full]
> -----
>
> So the .sha1 file and the signature look fine, but the .sha256 file is apparently a fragment of gzip-compressed data. And ... let's see ... gunzip'ing it gives us the SHA256 hash in ASCII. So my guess the server is gzip'ing it (or it's gzip'ed at rest on the server), but the server isn't setting the content-transfer-encoding correctly. Chrome might be content-sniffing and decompressing based on that. I haven't looked at the response headers though.
>
> (Personally, I always check the signature and don't bother with the posted hashes.)
>
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

RE: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Carl Tietjen-2

Still seeing the issue for SOME of the SHA256 files...  I waited for a while thinking it might be a cache issue, but no change.

 

https://www.openssl.org/source/openssl-1.0.2t.tar.gz.sha256  -- BAD

https://www.openssl.org/source/openssl-1.1.0l.tar.gz.sha256  -- OK

https://www.openssl.org/source/openssl-1.1.1d.tar.gz.sha256 -- BAD

https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz.sha256 -- OK

https://www.openssl.org/source/openssl-fips-ecp-2.0.16.tar.gz.sha256 -- OK

 

 

-----Original Message-----
From: Richard Levitte [mailto:[hidden email]]
Sent: Wednesday, September 11, 2019 2:41 PM
To: Michael Wojcik <[hidden email]>
Cc: Carl Tietjen <[hidden email]>; Matt Caswell <[hidden email]>; [hidden email]
Subject: Re: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

 

Issue found...  Apache detected .gz in the file name and set the encoding to 'application/x-gzip'...  Apparently, we already force .asc and .sha1 files to application/binary, but have apparently not added a similar directive for .sha256 files.

 

Now done.

 

Cheers,

Richard

 

On Wed, 11 Sep 2019 22:04:53 +0200,

Michael Wojcik wrote:

>

> I can confirm Carl's issue when I download using Pale Moon (a Firefox fork):

>

> -----

> $ file openssl-1.1.1d.tar.gz.sha256

> openssl-1.1.1d.tar.gz.sha256: gzip compressed data, from FAT

> filesystem (MS-DOS,  OS/2, NT)

>

> $ file openssl-1.1.1d.tar.gz.sha1

> openssl-1.1.1d.tar.gz.sha1: ASCII text

>

> $ file openssl-1.1.1d.tar.gz.asc

> openssl-1.1.1d.tar.gz.asc: PGP signature Signature (old)

>

> $ gpg --verify  openssl-1.1.1d.tar.gz.asc  openssl-1.1.1d.tar.gz

> gpg: Signature made 09/10/19 09:13:14 EDT using RSA key ID 0E604491

> gpg: Good signature from "Matt Caswell <[hidden email]>" [full]

> gpg:                 aka "Matt Caswell <[hidden email]>" [full]

> -----

>

> So the .sha1 file and the signature look fine, but the .sha256 file is apparently a fragment of gzip-compressed data. And ... let's see ... gunzip'ing it gives us the SHA256 hash in ASCII. So my guess the server is gzip'ing it (or it's gzip'ed at rest on the server), but the server isn't setting the content-transfer-encoding correctly. Chrome might be content-sniffing and decompressing based on that. I haven't looked at the response headers though.

>

> (Personally, I always check the signature and don't bother with the

> posted hashes.)

>

> --

> Michael Wojcik

> Distinguished Engineer, Micro Focus

>

>

--

Richard Levitte         [hidden email]

OpenSSL Project         http://www.openssl.org/~levitte/

Reply | Threaded
Open this post in threaded view
|

Re: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Richard Levitte - VMS Whacker-2
Thanks for the heads up.

For some reason, the information at our CDN remained incorrect for the
"BAD" files, so I purged all the current release files there, so their
cache for them would rebuild from scratch.  They look better now.

Cheers,
Richard

On Thu, 12 Sep 2019 00:25:40 +0200,
Carl Tietjen wrote:

>
>
> Still seeing the issue for SOME of the SHA256 files...  I waited for a while thinking it might be
> a cache issue, but no change.
>
> https://www.openssl.org/source/openssl-1.0.2t.tar.gz.sha256  -- BAD
>
> https://www.openssl.org/source/openssl-1.1.0l.tar.gz.sha256  -- OK
>
> https://www.openssl.org/source/openssl-1.1.1d.tar.gz.sha256 -- BAD
>
> https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz.sha256 -- OK
>
> https://www.openssl.org/source/openssl-fips-ecp-2.0.16.tar.gz.sha256 -- OK
>
> -----Original Message-----
> From: Richard Levitte [mailto:[hidden email]]
> Sent: Wednesday, September 11, 2019 2:41 PM
> To: Michael Wojcik <[hidden email]>
> Cc: Carl Tietjen <[hidden email]>; Matt Caswell <[hidden email]>;
> [hidden email]
> Subject: Re: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d,
> 1.0.2t, 1.1.0l etc
>
> Issue found...  Apache detected .gz in the file name and set the encoding to 'application/
> x-gzip'...  Apparently, we already force .asc and .sha1 files to application/binary, but have
> apparently not added a similar directive for .sha256 files.
>
> Now done.
>
> Cheers,
>
> Richard
>
> On Wed, 11 Sep 2019 22:04:53 +0200,
>
> Michael Wojcik wrote:
>
> >
>
> > I can confirm Carl's issue when I download using Pale Moon (a Firefox fork):
>
> >
>
> > -----
>
> > $ file openssl-1.1.1d.tar.gz.sha256
>
> > openssl-1.1.1d.tar.gz.sha256: gzip compressed data, from FAT
>
> > filesystem (MS-DOS,  OS/2, NT)
>
> >
>
> > $ file openssl-1.1.1d.tar.gz.sha1
>
> > openssl-1.1.1d.tar.gz.sha1: ASCII text
>
> >
>
> > $ file openssl-1.1.1d.tar.gz.asc
>
> > openssl-1.1.1d.tar.gz.asc: PGP signature Signature (old)
>
> >
>
> > $ gpg --verify  openssl-1.1.1d.tar.gz.asc  openssl-1.1.1d.tar.gz
>
> > gpg: Signature made 09/10/19 09:13:14 EDT using RSA key ID 0E604491
>
> > gpg: Good signature from "Matt Caswell <[hidden email]>" [full]
>
> > gpg:                 aka "Matt Caswell <[hidden email]>" [full]
>
> > -----
>
> >
>
> > So the .sha1 file and the signature look fine, but the .sha256 file is apparently a fragment of
> gzip-compressed data. And ... let's see ... gunzip'ing it gives us the SHA256 hash in ASCII. So my
> guess the server is gzip'ing it (or it's gzip'ed at rest on the server), but the server isn't
> setting the content-transfer-encoding correctly. Chrome might be content-sniffing and
> decompressing based on that. I haven't looked at the response headers though.
>
> >
>
> > (Personally, I always check the signature and don't bother with the
>
> > posted hashes.)
>
> >
>
> > --
>
> > Michael Wojcik
>
> > Distinguished Engineer, Micro Focus
>
> >
>
> >
>
> --
>
> Richard Levitte         [hidden email]
>
> OpenSSL Project         http://www.openssl.org/~levitte/
>
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

RE: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Carl Tietjen-2
So the https://www.openssl.org/source/openssl-1.0.2t.tar.gz.sha256 file still has the issue.  All the other files from the main download page are OK
Carl


-----Original Message-----
From: Richard Levitte [mailto:[hidden email]]
Sent: Wednesday, September 11, 2019 4:41 PM
To: Carl Tietjen <[hidden email]>
Cc: Richard Levitte <[hidden email]>; Michael Wojcik <[hidden email]>; Matt Caswell <[hidden email]>; [hidden email]
Subject: Re: Problem with the SHA256 signatures (download files) for the new releases 1.1.1d, 1.0.2t, 1.1.0l etc

Thanks for the heads up.

For some reason, the information at our CDN remained incorrect for the "BAD" files, so I purged all the current release files there, so their cache for them would rebuild from scratch.  They look better now.

Cheers,
Richard

On Thu, 12 Sep 2019 00:25:40 +0200,
Carl Tietjen wrote:

>
>
> Still seeing the issue for SOME of the SHA256 files...  I waited for a
> while thinking it might be a cache issue, but no change.
>
> https://www.openssl.org/source/openssl-1.0.2t.tar.gz.sha256  -- BAD
>
> https://www.openssl.org/source/openssl-1.1.0l.tar.gz.sha256  -- OK
>
> https://www.openssl.org/source/openssl-1.1.1d.tar.gz.sha256 -- BAD
>
> https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz.sha256 -- OK
>
> https://www.openssl.org/source/openssl-fips-ecp-2.0.16.tar.gz.sha256 
> -- OK
>
> -----Original Message-----
> From: Richard Levitte [mailto:[hidden email]]
> Sent: Wednesday, September 11, 2019 2:41 PM
> To: Michael Wojcik <[hidden email]>
> Cc: Carl Tietjen <[hidden email]>; Matt Caswell
> <[hidden email]>; [hidden email]
> Subject: Re: Problem with the SHA256 signatures (download files) for
> the new releases 1.1.1d, 1.0.2t, 1.1.0l etc
>
> Issue found...  Apache detected .gz in the file name and set the
> encoding to 'application/ x-gzip'...  Apparently, we already force
> .asc and .sha1 files to application/binary, but have apparently not added a similar directive for .sha256 files.
>
> Now done.
>
> Cheers,
>
> Richard
>
> On Wed, 11 Sep 2019 22:04:53 +0200,
>
> Michael Wojcik wrote:
>
> >
>
> > I can confirm Carl's issue when I download using Pale Moon (a Firefox fork):
>
> >
>
> > -----
>
> > $ file openssl-1.1.1d.tar.gz.sha256
>
> > openssl-1.1.1d.tar.gz.sha256: gzip compressed data, from FAT
>
> > filesystem (MS-DOS,  OS/2, NT)
>
> >
>
> > $ file openssl-1.1.1d.tar.gz.sha1
>
> > openssl-1.1.1d.tar.gz.sha1: ASCII text
>
> >
>
> > $ file openssl-1.1.1d.tar.gz.asc
>
> > openssl-1.1.1d.tar.gz.asc: PGP signature Signature (old)
>
> >
>
> > $ gpg --verify  openssl-1.1.1d.tar.gz.asc  openssl-1.1.1d.tar.gz
>
> > gpg: Signature made 09/10/19 09:13:14 EDT using RSA key ID 0E604491
>
> > gpg: Good signature from "Matt Caswell <[hidden email]>" [full]
>
> > gpg:                 aka "Matt Caswell <[hidden email]>" [full]
>
> > -----
>
> >
>
> > So the .sha1 file and the signature look fine, but the .sha256 file
> > is apparently a fragment of
> gzip-compressed data. And ... let's see ... gunzip'ing it gives us the
> SHA256 hash in ASCII. So my guess the server is gzip'ing it (or it's
> gzip'ed at rest on the server), but the server isn't setting the
> content-transfer-encoding correctly. Chrome might be content-sniffing and decompressing based on that. I haven't looked at the response headers though.
>
> >
>
> > (Personally, I always check the signature and don't bother with the
>
> > posted hashes.)
>
> >
>
> > --
>
> > Michael Wojcik
>
> > Distinguished Engineer, Micro Focus
>
> >
>
> >
>
> --
>
> Richard Levitte         [hidden email]
>
> OpenSSL Project         http://www.openssl.org/~levitte/
>
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/