Hello, the capability bits in the CA certificate used by the Single SignOn were incorrect. This was ignored by openssl in jessie, and it's starting to be noticed by openssl in stretch and above. Thanks to the work of Luca Filipozzi, sso.debian.org has an updated CA certificate with the right bits. Luca reused the private key material, so all existing certificates remain valid. If you are maintaining a service that authenticates developers, and you are not using the CA key directly from /var/lib/dsa/sso, then please update the CA certificate in your service with the new version at https://sso.debian.org/ca/ca.pem Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature