- multiple TLS up/download workflows broken by expiration of AddTrust External CA Root
Re: multiple TLS up/download workflows broken by expiration of AddTrust External CA Root
toggle quoted messageShow quoted text
On Sat, May 30, 2020 at 8:54 AM Royce Williams <royce@...
Andrew Ayer (the SSLMate guy, knows his TLS stuff) wrote up a really good explainer here:
Be aware that multiple platforms are being affected today by the expiration of the "AddTrust External CA Root" cert (https://crt.sh/?id=1
If you're getting weird failures when pulling something from an API, or when updating packages - anything with a download in the workflow - and it breaks in a weird way today, get under the hood and see if the cert is failing validation.
The fix for appliances will likely be updating firmware, though there may be a chicken-and-egg problem where the download of the firmware itself will fail because validation of the upstream TLS cert is broken.
The fix for self-made devices/servers, updating curl or OpenSSL to be able to properly validate the chain may work.
GnuTLS appears to be broken more deeply, no recommendation there yet.
Follow @sleevi_ (Ryan Sleevi, Google TLS security person) on Twitter for developing info, specifically this thread:
pfSense is aware of the issue, see this thread:
Join email@example.com to automatically receive all group messages.