[oi-dev] crypto/ca-certificates
stes@PANDORA.BE
stes at telenet.be
Thu Oct 28 16:38:56 UTC 2021
there's a new nss package available at ftp.mozilla.org
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_72_RTM/src/
remember that I have in Squeak Smalltalk an issue with the following certificate
# openssl x509 -noout -in /etc/certs/CA/DST_Root_CA_X3.pem -text
...
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Validity
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
Unfortunately the previous upgrade to crypto/ca-certificates version 3.71-2020.0.1.0 did not solve that issue.
the issue is documented at
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
where they say openssl 1.0.2 has an issue with that expired certificate and they say openssl 1.1 does not
(but perhaps openssl 1.1 may have some other issues)
Perhaps a new upgrade to the ca-certificates 3.72 is a possibility ?
I didn't test that.
Note that this is not super urgent as the workaround document in the blog article works fine.
Regards,
David Stes
More information about the oi-dev
mailing list