[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upcoming compatibility problem of oldstable (and older) vs. certificates from Let's Encrypt


Here's the same for openssl-1.0.2/stretch:

I also contributed to the launchpad bug for openssl where they have an issue with trusty/openssl-1.0.1 so we can cross-review for jessie.

Sylvain Beucler
Debian LTS Team

On 11/09/2021 23:21, Sylvain Beucler wrote:

I have a stretch gnutls28 update ready for testing:
AFAICT this fixes wget and apt-transport-https.

On jessie the new testsuite unit is failing, I'm investigating.

I'd welcome tests on all kinds of certs to ensure no regression was introduced.

No news wrt the openssl update yet.

Sylvain Beucler
Debian LTS Team

On 10/09/2021 20:47, Sylvain Beucler wrote:

On 09/09/2021 19:11, Stefan Huehner wrote:
looking a tiny bit at changelog for gnutls buster it looks like the backport was already done :)

the _16 + _17 patches from the description sound like what i understand the fix is (explore alternative verification paths...)

Thanks, that's a good reference for the gnutls part.

On 10/09/2021 10:55, Christoph Berg wrote:
Note that stretch and later are using libssl1.1 by default, so only packages
who were actively patched to keep using 1.0 are affected.

This notably includes curl :/  So this needs fixing as well.
An openssl[1.0] update is underway, I'll coordinate with Thorsten.

Also, a work-around is to drop the expiring CA:
$ rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
$ update-ca-certificate

Reply to: