[lug] Understanding a SSL/TLS Certificate Issue
Jed S. Baer
blug at jbaer.cotse.net
Fri Jun 19 18:12:48 MDT 2020
On Fri, 19 Jun 2020 16:15:42 -0600
Rob Nagler wrote:
> If this is the issue (easy to check), you have to replace the
> intermediate cert bundle with the new intermediate certs from Sectigo:
>
> https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates
>
> Note that there are two types of Sectigo certs. I found this Namecheap
> page helpful:
>
> https://www.namecheap.com/support/knowledgebase/article.aspx/10228/14/sectigo-root-certificate-expiring-may-30-2020/#2
I'm not sure about the "easy to check" part.
And I don't know about replacing certs on my system, since COTSE sends
the chain down to me in the SMTP handshake.
But, there's stuff I've never gotten into "under the hood", so ...
Anyways, that namecheap page links to
https://www.cmu.edu/iso/service/cert-auth/addtrust.html where it says
that:
"Broken Clients - Known Examples
[snip]
Client software that use OpenSSL libraries prior to version 1.1.1 for
certificate path validation appear to always validate the full Trust
Chain A sent from the server even though modern roots were configured to
validate Trust Chain B.
This unfortunate behavior was observed on Red Hat Enterprise Linux 6
(OpenSSL 1.0.1e-fips) and 7 (OpenSSL 1.0.2k-fips)."
I think Debian Stable is still at 1.0.1t
Anyways, the CMU page has downloadable new certs, but no instructions,
but I'm guessing I just stick them in /usr/share/ca-certificates, link
them in to /etc/ssl/certs, and then run a script, maybe
update-ca-certificates?
Currently, I have nothing from Sectigo or UserTrust in those directories.
More information about the LUG
mailing list