Hi,

Doesn't seems to work. The mail (see attachment) went out but no bug is opened.
2017-04-03 21:53:05 1cv82D-0004E2-4w <= klaus@??? H=(ikki.ket) [192.168.17.4] P=esmtpsa X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no A=plain_server:ikki S=3678 id=20170403195304.e2srg6biwapruaqe@???
2017-04-03 21:53:08 1cv82D-0004E2-4w => submit@??? R=dnslookup T=remote_smtp H=tupac2.dyne.org [178.62.188.7] X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=yes DN="OU=Domain Control Validated,OU=Gandi Standard Wildcard SSL,CN=*.dyne.org" C="250 2.0.0 Ok: queued as 776B018BF8E"

Regards
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@???>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

Package: devuan-www
Severity: important

Since several months, the web page (www.devuan.org) is not viewable for
those who care about security and trust only the certificate that the
owner has access to instead of every untrusted CA.

The way to do that is DNSSEC with TLSA and thankfully, devuan does
support that.

Unfortunately, since several months, (I believe, when devuan switched to
that horrable Let's encrypt) the page doesn't match the TLSA record
anymore. That leads to a unviewable page if one cares about security.

So the TLSA record should be updated to match the SSL certificate of the
page (or the right SSL certificate should be used).

There are few solutions for this if it is really the switch to Let's
encrypt that is the cause:
- - Every time you replace the SSL certificate, update the TLSA record
too. That is very painful as Let's encrypt drives security adabsurdum
by replacing the certificate with every single new load. (Keep in
mind, not everyone is checking the side every hour.) That is the most
stupid (sorry) way.
- - Get a certificate from a more stable source that is not replacing the
certificates that often. You still need to change the TLSA record
every time you replace the certificate. That is, in my opinion, the
most reliable way.
- - If you don't care about the fucked up CA stuff, just generate a self
signed certificate and put the right stuff into TLSA record. This is
the most honest way to go but realistically, as browser vendors seems
to passively boycott DNSSEC, this is no way to go for a site like
devuan.
- - The last way would be to use the CA fingerprint instead of the one of
the actual certificate. Or use the fingerprint of the key if you don't
change it with every certificate renewal. This is making good face on
a bad matter but it is working too.

Regards
   Klaus
- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@???>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C