Re: multiple TLS up/download workflows broken by expiration of AddTrust External CA Root


Royce Williams
 

Test your client with this TLS host: https://addtrust-chain.demo.sslmate.com/

Check status of server chain, and generate a fixed chain file, with this: https://whatsmychaincert.com/

-- 
Royce Williams
Tech Solvency


On Sat, May 30, 2020 at 8:54 AM Royce Williams <royce@...> wrote:
Andrew Ayer (the SSLMate guy, knows his TLS stuff) wrote up a really good explainer here:


-- 
Royce


On Sat, May 30, 2020 at 8:00 AM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:

Be aware that multiple platforms are being affected today by the expiration of the "AddTrust External CA Root" cert (https://crt.sh/?id=1). 

If you're getting weird failures when pulling something from an API, or when updating packages - anything with a download in the workflow - and it breaks in a weird way today, get under the hood and see if the cert is failing validation.

The fix for appliances will likely be updating firmware, though there may be a chicken-and-egg problem where the download of the firmware itself will fail because validation of the upstream TLS cert is broken.

The fix for self-made devices/servers, updating curl or OpenSSL to be able to properly validate the chain may work.

GnuTLS appears to be broken more deeply, no recommendation there yet.

Follow @sleevi_ (Ryan Sleevi, Google TLS security person) on Twitter for developing info, specifically this thread:

https://twitter.com/sleevi_/status/1266647545675210753

Known affected platforms so far include pfSense, OVH, Datadog, etc.

pfSense is aware of the issue, see this thread:


-- 
Royce Williams
Tech Solvency

Join nuga@groups.io to automatically receive all group messages.