Brian Inglis via Cygwin-apps writes: >> Re-installed last ca-certificates-letencrypt package and cygport >> announce and git send-email are working again.
Then keep it installed one or two months longer, but I will not revive that package. The original problem with the R3 cross-signed through X3 went away at least a year ago already and the last R3 signed certificates (that don't have this problem) should expire somewhere in the next two or three months latest. New certificates should be signed by R10 or R11 already. >> Some unexpired letsencrypt certificates should probably have been >> migrated to ca-certificates or left in ca-certificates-letencrypt? Nope. > so were any DigiCert certs harmed in the making of this package? ;^> Bollocks. If installing ca-certificates-letencrypt fixes it for you, then it's either an old TrustID X3 or Let's Encrypt R3 certificate (probably the latter) somewhere in the cert chain _plus_ an openssl earlier than 1.2 (as these had a bug in cert validation that gets triggered during validation of a cross-signed a CA). Anyway, the current openssl has no problems with either of the servers you mentioned: --8<---------------cut here---------------start------------->8--- ~ (2012)# openssl s_client -connect mail.hover.com:465 CONNECTED(00000004) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1 verify return:1 depth=0 CN = *.hover.com verify return:1 --- Certificate chain 0 s:CN = *.hover.com i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jul 14 00:00:00 2024 GMT; NotAfter: Jul 13 23:59:59 2025 GMT 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 2 12:24:33 2017 GMT; NotAfter: Nov 2 12:24:33 2027 GMT 2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIGIDCCBQigAwIBAgIQAsPHqBLbhyMzxknMGhWz5zANBgkqhkiG9w0BAQsFADBg MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMR8wHQYDVQQDExZSYXBpZFNTTCBUTFMgUlNBIENBIEcx MB4XDTI0MDcxNDAwMDAwMFoXDTI1MDcxMzIzNTk1OVowFjEUMBIGA1UEAwwLKi5o b3Zlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMbFFzY5dq Qo33T6P4s4cexUVhA+gMflpYyI/gA7betlbL6F7cB8JrDl/C9s4/UAvuG0smZI4a ZrzbogtMcvjyhiV8czywWDibCwyrH7nRRidRxCPbtJcC/utRb+g2gTtnUNAFvqnv Jcc3OPZCEo6mnx3RPHH3RpmfXM3faAHHI9VNwRSK8F9w9JDc5PtW5J7pEdxkat6y +faiuYjqKw53a5kocj+9RQDH5X+0f6fltL1Ed3ehSo7n+qkONMn5SE+iYB2EX/Pt VIIFB1deI7GRis9UU3Tfw9osuCxSz7RzE7I+YOMTRPHyi79ns9WthYTtzbS9Cezu ZtMgIWWu4yrHAgMBAAGjggMeMIIDGjAfBgNVHSMEGDAWgBQM22yCSQ9KZwq4FO56 xEhSiOtWODAdBgNVHQ4EFgQUyuEEPsQ/asGApRPLTUAbr8YkstswIQYDVR0RBBow GIILKi5ob3Zlci5jb22CCWhvdmVyLmNvbTA+BgNVHSAENzA1MDMGBmeBDAECATAp MCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA/BgNVHR8E ODA2MDSgMqAwhi5odHRwOi8vY2RwLnJhcGlkc3NsLmNvbS9SYXBpZFNTTFRMU1JT QUNBRzEuY3JsMHYGCCsGAQUFBwEBBGowaDAmBggrBgEFBQcwAYYaaHR0cDovL3N0 YXR1cy5yYXBpZHNzbC5jb20wPgYIKwYBBQUHMAKGMmh0dHA6Ly9jYWNlcnRzLnJh cGlkc3NsLmNvbS9SYXBpZFNTTFRMU1JTQUNBRzEuY3J0MAwGA1UdEwEB/wQCMAAw ggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2ABLxTjS9U3JMhAYZw48/ehP457Vi h4icbTAFhOvlhiY6AAABkLBAqI0AAAQDAEcwRQIhAP92rBnu2y8SKYSW4pOrS4YM +8mrbG3xbE9M1oUbwq2rAiBJfWhIX7rg2jf5un7kzELaNAMfcVXbRG49HXsl03f2 2AB2AObSMWNAd4zBEEEG13G5zsHSQPaWhIb7uocyHf0eN45QAAABkLBAqO4AAAQD AEcwRQIgM81EF1/VVPuuXEX1HqUlCg48C2SiD1hQ1oqM+E9cYYICIQCZYNIstjRL 29329bB5MaJYgh3S5im0sRXINCEuwd3ZHwB1AMz7D2qFcQll/pWbU87psnwi6YVc DZeNtql+VMD+TA2wAAABkLBAqH0AAAQDAEYwRAIgYoYwHn1y70KNvvEHCSijHXHy iKZyy0pihluxBUjHt14CIAmgx+C1vT4abtGvjyjUw3uCZbkIFhMFFtt7q1+Jlmke MA0GCSqGSIb3DQEBCwUAA4IBAQCZGX+ib0vdW2XQge9rfKQiPzHSS8GjDXrWKNQG Sb5aZHvdaaBtFDlHpbGf+EHg+9/0pbTGddNLxaXLHTlhBq4es1vPXfz5l7XojWEQ XnyD7cLPCVU/D2rh2UjnhpKzF/XtRwqL7TzTXOMJDCW4qMNjsPQGMH5zUPzi2bGu l8GOdKkOwLSgaqJOzXe9KZ8Pn0SwEVKx9mvKeNGmm/XlMjwJz74G2DApmYJNjcI8 c8sKPZZX0UWR1CFO+x5CaggwbS9+H44QlEcwvsUlTkIutl1gsKBwdk2stRbfSOmE FbwafUaJeu0tNjwyIEahfxs3rut5MDsB6vkTzeqf3sPKk6vG -----END CERTIFICATE----- subject=CN = *.hover.com issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4263 bytes and written 416 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: D9DC8EB9C7D48C94787756096BD0F96E0762523B4C143D11FCA280791CB1BA3C Session-ID-ctx: Resumption PSK: B80A77F145CEF83FDE1C7A7EA45798F68B86B99670DB927F33403EEA4F39C0E8F9FC19F4079CD97A76F02A28E7A5BD55 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - af 5b 48 ea 6a a1 fb de-42 7a 2e 6e 3b b2 8d b1 .[H.j...Bz.n;... 0010 - 04 6a d8 82 b7 b2 f2 24-23 49 0a 01 17 31 03 f8 .j.....$#I...1.. 0020 - d8 1b 4f 89 49 86 18 79-34 be 4a 83 29 a1 f9 23 ..O.I..y4.J.)..# 0030 - 36 15 00 63 67 4b 9e 6e-e0 c8 d7 c4 e6 17 10 df 6..cgK.n........ 0040 - 62 1c 80 f4 b0 a1 b1 30-3c cb 57 15 c3 57 0e 8d b......0<.W..W.. 0050 - 97 e8 21 ac a5 91 9f c4-4d 58 0c 03 1f 1f 85 33 ..!.....MX.....3 0060 - 4d 43 ba 59 c0 23 a4 24-74 24 26 39 3d 04 14 ba MC.Y.#.$t$&9=... 0070 - 91 1d 46 56 51 ea 25 83-a4 69 8b 6c 55 96 dd 8b ..FVQ.%..i.lU... 0080 - ab 0a 05 ed e5 14 dc b2-eb 09 0e 2d e7 e8 e5 7f ...........-.... 0090 - 98 56 0f 3a de 68 22 9b-68 60 c0 18 4f 32 43 64 .V.:.h".h`..O2Cd 00a0 - 63 26 b2 2e 27 e8 ff 1e-71 c5 71 0e 9e ad c9 a8 c&..'...q.q..... 00b0 - 4d 94 f6 7b 5e 82 14 50-0c c0 6e a1 15 1d 93 6a M..{^..P..n....j 00c0 - 10 d2 b8 95 61 d6 2a 63-4b 8b 6d 3d d3 bf b6 75 ....a.*cK.m=...u 00d0 - e3 4e 3e e4 5d 96 ce 98-6d cb c6 bd 4c 20 63 30 .N>.]...m...L c0 Start Time: 1720983567 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 1AEF43A9993E9BA5A1A0844712A568353FA9F4AC61ECEA7A0E0F0AB16727DE74 Session-ID-ctx: Resumption PSK: 857E108EDF8AFED4B984061182278E7E5A81AA950D699403321E0AF52985249545010623DAD2C458D8AED832CBB426BF PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - af 5b 48 ea 6a a1 fb de-42 7a 2e 6e 3b b2 8d b1 .[H.j...Bz.n;... 0010 - 20 7a 44 0f 66 23 7b 62-83 bd 6a 83 20 4f 8f 4e zD.f#{b..j. O.N 0020 - 08 47 71 7c c1 dd 44 22-ea 28 9d 4d 58 f5 02 29 .Gq|..D".(.MX..) 0030 - 5d 78 e6 63 81 a6 1e ea-67 00 77 2e 03 8c 15 2f ]x.c....g.w..../ 0040 - 31 d5 a8 c2 3a ce 7c de-d4 a4 b3 cd 75 6c 0b 61 1...:.|.....ul.a 0050 - cb be 3f a4 84 59 f5 58-6d bc 50 f7 e6 2a f3 11 ..?..Y.Xm.P..*.. 0060 - 79 c6 22 f4 f3 a0 d6 38-50 4d 3a 38 ca e7 6c c3 y."....8PM:8..l. 0070 - 87 5f c9 bb 29 87 f3 76-26 3e 94 a7 03 9a a9 22 ._..)..v&>....." 0080 - 8f c2 85 64 c9 d4 e2 37-23 31 27 68 2a e9 8f 21 ...d...7#1'h*..! 0090 - 7b 39 51 49 53 6f 32 eb-39 e8 9e 53 dd eb c7 a0 {9QISo2.9..S.... 00a0 - 71 e5 bf 6d 23 2a 05 a2-4d 78 cd 28 bf 11 87 28 q..m#*..Mx.(...( 00b0 - ec b1 a3 14 0b 3e 40 df-0d a6 5c e9 35 81 c1 54 .....>@...\.5..T 00c0 - a4 2f e5 6d 91 19 22 33-00 7d 4b 4d e8 a5 7c bd ./.m.."3.}KM..|. 00d0 - 47 b7 77 ae 60 cd f0 75-64 86 14 aa 88 af 1c e9 G.w.`..ud....... Start Time: 1720983567 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK 220 smtp.hostedemail.com ESMTP ~ (2013)# openssl s_client -connect cygwin.com:443 CONNECTED(00000004) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = cygwin.com verify return:1 --- Certificate chain 0 s:CN = cygwin.com i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 21 03:00:17 2024 GMT; NotAfter: Aug 19 03:00:16 2024 GMT 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIFGjCCBAKgAwIBAgISAwM/swNgjWg7bXYzb60MO8jWMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yNDA1MjEwMzAwMTdaFw0yNDA4MTkwMzAwMTZaMBUxEzARBgNVBAMT CmN5Z3dpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7v0od pvhtkoAmsnV2AZ0zXprunp8DizcQOaOhtZLCwT3XaT/20Jz8se0D1wDNdnTp4Xzk g6m88aYetajI277+qWNLPjGrbGBGh2GsAKNNfgVCdjDB4wBUjm/Nejyw66MezA/z qfcRQs2a90OQW2KksUicx/fDPzfrnLg797D3eAv82/1wCXQFrXKsanSBVSDXpkZU 2oEcQqNJWsCiZ4y8OVrr+WABmTCjq+RPXvjP7I900LhCS1v15PY1JhKMuks9hMZ4 s+/eKfMR3y1jw+jIOX8/mLChdYV5vdY6WPtkoOoIXPTztv5rFRgYDwjQrNvMN5Ei UgsdHJbRdN9VrFh3AgMBAAGjggJFMIICQTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE FExts9Uea+ff6l2W+CqyZ6enOgxmMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvME0G A1UdEQRGMESCCmN5Z3dpbi5jb22CCmN5Z3dpbi5uZXSCCmN5Z3dpbi5vcmeCDmZ0 cC5jeWd3aW4uY29tgg53d3cuY3lnd2luLmNvbTATBgNVHSAEDDAKMAgGBmeBDAEC ATCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AEiw42vapkc0D+VqAvqdMOscUgHL Vt0sgdm7v6s52IRzAAABj5lOnv8AAAQDAEcwRQIgbQ9J7FFCYg18MjYAUaZTc9nu RdDvBuV0j1zoXkeVA0ACIQCAXsW4f/n74Ar/1rFj5Y3qsJ65tAhCKM4dnetuh/0q yAB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABj5lOptMAAAQD AEgwRgIhAK94RHriWwEx0passlYfy8WQ5jhf3qgydgzUqYc3HvXrAiEAuOftp9ET UTkcJoF7b8ikBl1SBPozzV/yEEmwSjdViLgwDQYJKoZIhvcNAQELBQADggEBALZd Qbyrr2yFYYQsJ9wceiVRCiTcdCElaVtTa0VZRKgdZb3tq7C6VDzMXZfrZkEiZLlK i6rcf+ulSiVBMVCpPgealXvFXkodCT/5mhchXjTzxH3d//A57LPKlJHU1aa6brRP dlhrL2lcmV7uyfnS1ANYoefA/iyoiaeKsbTmc83ccSk4vNa/W4H48XVg4a5s5Fzw g2NgPy6Ni3U5sxRqneUK37cxBdXe/wPE1B7Q/4Ms12gro9IQyxMsboz4u1zOqpeo qo5OpPPb2x+f1kurQ9x8vEIrdBYYkZf1D6NTXWdY5ti12Klxmp8W0clGA1moqo27 b+gKewR74PW44f0ToXw= -----END CERTIFICATE----- subject=CN = cygwin.com issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3296 bytes and written 425 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 931F9282F0585331265F3794080799359859AA0FEEEAA9C20F98199905EB7F89 Session-ID-ctx: Master-Key: 63A10CBB47A212825E4943DD6ACF879EAB7892CEDE672B72D0BF51CF2CD07C865C323248139E192FC776675C040CDC46 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 5c d1 d2 c4 14 97 f3 47-25 35 0c 19 4b 24 ed 6f \......G%5..K$.o 0010 - 90 54 7d 10 32 88 d5 c4-4a f0 88 11 09 6f ef fb .T}.2...J....o.. 0020 - dd 91 dc 3d 24 db 49 07-47 38 9d e5 09 c0 e6 f6 ...=$.I.G8...... 0030 - 89 e8 d2 67 55 d5 ff 2e-20 2e 42 80 98 35 a6 81 ...gU... .B..5.. 0040 - 5c f8 88 cc d0 3f 05 78-72 8c 52 8a 13 79 68 50 \....?.xr.R..yhP 0050 - f6 04 75 55 83 b8 9d 4e-20 39 e5 aa aa 39 07 44 ..uU...N 9...9.D 0060 - f0 75 2e 75 fa 97 70 5c-b6 09 1a 31 9e 9a d8 93 .u.u..p\...1.... 0070 - 15 4f 1b d3 df aa be dd-0f c1 24 15 32 49 d0 db .O........$.2I.. 0080 - ff ce f2 af fa 1f 65 30-b8 fd a0 f0 10 f9 bf 41 ......e0.......A 0090 - 79 39 df 79 c0 94 ed 0b-89 cb 83 91 98 d8 27 bc y9.y..........'. 00a0 - 5c 44 d4 1a 72 ac d1 78-57 3d 2c 94 bd 4d fd 78 \D..r..xW=,..M.x 00b0 - cd 67 c1 07 19 9f d4 66-7d b4 a1 66 b8 bf 9b 24 .g.....f}..f...$ 00c0 - b3 07 55 84 03 5d 2b 84-db 2e 98 33 b8 3c ef 47 ..U..]+....3.<.G Start Time: 1720983597 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- closed --8<---------------cut here---------------end--------------->8--- Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada