[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upcoming compatibility problem of oldstable (and older) vs. certificates from Let's Encrypt


On 09/09/2021 19:11, Stefan Huehner wrote:
> looking a tiny bit at changelog for gnutls buster it looks like the backport was already done :)
> 3.6.7-4+deb10u5
> the _16 + _17 patches from the description sound like what i understand the fix is (explore alternative verification paths...)
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961889

Thanks, that's a good reference for the gnutls part.

On 10/09/2021 10:55, Christoph Berg wrote:
> Note that stretch and later are using libssl1.1 by default, so only packages
> who were actively patched to keep using 1.0 are affected.

This notably includes curl :/  So this needs fixing as well.
An openssl[1.0] update is underway, I'll coordinate with Thorsten.

Also, a work-around is to drop the expiring CA:
$ rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
$ update-ca-certificate

Sylvain Beucler
Debian LTS Team

Reply to: