Brian Inglis via Cygwin-apps writes:
>> Re-installed last ca-certificates-letencrypt package and cygport
>> announce and git send-email are working again.
Then keep it installed one or two months longer, but I will not revive
that package. The original problem with the R3 cross-signed through X3
went away at least a year ago already and the last R3 signed
certificates (that don't have this problem) should expire somewhere in
the next two or three months latest. New certificates should be signed
by R10 or R11 already.
>> Some unexpired letsencrypt certificates should probably have been
>> migrated to ca-certificates or left in ca-certificates-letencrypt?
Nope.
> so were any DigiCert certs harmed in the making of this package? ;^>
Bollocks. If installing ca-certificates-letencrypt fixes it for you,
then it's either an old TrustID X3 or Let's Encrypt R3 certificate
(probably the latter) somewhere in the cert chain _plus_ an openssl
earlier than 1.2 (as these had a bug in cert validation that gets
triggered during validation of a cross-signed a CA).
Anyway, the current openssl has no problems with either of the servers
you mentioned:
--8<---------------cut here---------------start------------->8---
~ (2012)# openssl s_client -connect mail.hover.com:465
CONNECTED(00000004)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA
CA G1
verify return:1
depth=0 CN = *.hover.com
verify return:1
---
Certificate chain
0 s:CN = *.hover.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA
G1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 14 00:00:00 2024 GMT; NotAfter: Jul 13 23:59:59 2025 GMT
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA
G1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root
G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 2 12:24:33 2017 GMT; NotAfter: Nov 2 12:24:33 2027 GMT
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root
G2
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root
G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGIDCCBQigAwIBAgIQAsPHqBLbhyMzxknMGhWz5zANBgkqhkiG9w0BAQsFADBg
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR8wHQYDVQQDExZSYXBpZFNTTCBUTFMgUlNBIENBIEcx
MB4XDTI0MDcxNDAwMDAwMFoXDTI1MDcxMzIzNTk1OVowFjEUMBIGA1UEAwwLKi5o
b3Zlci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMbFFzY5dq
Qo33T6P4s4cexUVhA+gMflpYyI/gA7betlbL6F7cB8JrDl/C9s4/UAvuG0smZI4a
ZrzbogtMcvjyhiV8czywWDibCwyrH7nRRidRxCPbtJcC/utRb+g2gTtnUNAFvqnv
Jcc3OPZCEo6mnx3RPHH3RpmfXM3faAHHI9VNwRSK8F9w9JDc5PtW5J7pEdxkat6y
+faiuYjqKw53a5kocj+9RQDH5X+0f6fltL1Ed3ehSo7n+qkONMn5SE+iYB2EX/Pt
VIIFB1deI7GRis9UU3Tfw9osuCxSz7RzE7I+YOMTRPHyi79ns9WthYTtzbS9Cezu
ZtMgIWWu4yrHAgMBAAGjggMeMIIDGjAfBgNVHSMEGDAWgBQM22yCSQ9KZwq4FO56
xEhSiOtWODAdBgNVHQ4EFgQUyuEEPsQ/asGApRPLTUAbr8YkstswIQYDVR0RBBow
GIILKi5ob3Zlci5jb22CCWhvdmVyLmNvbTA+BgNVHSAENzA1MDMGBmeBDAECATAp
MCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA/BgNVHR8E
ODA2MDSgMqAwhi5odHRwOi8vY2RwLnJhcGlkc3NsLmNvbS9SYXBpZFNTTFRMU1JT
QUNBRzEuY3JsMHYGCCsGAQUFBwEBBGowaDAmBggrBgEFBQcwAYYaaHR0cDovL3N0
YXR1cy5yYXBpZHNzbC5jb20wPgYIKwYBBQUHMAKGMmh0dHA6Ly9jYWNlcnRzLnJh
cGlkc3NsLmNvbS9SYXBpZFNTTFRMU1JTQUNBRzEuY3J0MAwGA1UdEwEB/wQCMAAw
ggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2ABLxTjS9U3JMhAYZw48/ehP457Vi
h4icbTAFhOvlhiY6AAABkLBAqI0AAAQDAEcwRQIhAP92rBnu2y8SKYSW4pOrS4YM
+8mrbG3xbE9M1oUbwq2rAiBJfWhIX7rg2jf5un7kzELaNAMfcVXbRG49HXsl03f2
2AB2AObSMWNAd4zBEEEG13G5zsHSQPaWhIb7uocyHf0eN45QAAABkLBAqO4AAAQD
AEcwRQIgM81EF1/VVPuuXEX1HqUlCg48C2SiD1hQ1oqM+E9cYYICIQCZYNIstjRL
29329bB5MaJYgh3S5im0sRXINCEuwd3ZHwB1AMz7D2qFcQll/pWbU87psnwi6YVc
DZeNtql+VMD+TA2wAAABkLBAqH0AAAQDAEYwRAIgYoYwHn1y70KNvvEHCSijHXHy
iKZyy0pihluxBUjHt14CIAmgx+C1vT4abtGvjyjUw3uCZbkIFhMFFtt7q1+Jlmke
MA0GCSqGSIb3DQEBCwUAA4IBAQCZGX+ib0vdW2XQge9rfKQiPzHSS8GjDXrWKNQG
Sb5aZHvdaaBtFDlHpbGf+EHg+9/0pbTGddNLxaXLHTlhBq4es1vPXfz5l7XojWEQ
XnyD7cLPCVU/D2rh2UjnhpKzF/XtRwqL7TzTXOMJDCW4qMNjsPQGMH5zUPzi2bGu
l8GOdKkOwLSgaqJOzXe9KZ8Pn0SwEVKx9mvKeNGmm/XlMjwJz74G2DApmYJNjcI8
c8sKPZZX0UWR1CFO+x5CaggwbS9+H44QlEcwvsUlTkIutl1gsKBwdk2stRbfSOmE
FbwafUaJeu0tNjwyIEahfxs3rut5MDsB6vkTzeqf3sPKk6vG
-----END CERTIFICATE-----
subject=CN = *.hover.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA
CA G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4263 bytes and written 416 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: D9DC8EB9C7D48C94787756096BD0F96E0762523B4C143D11FCA280791CB1BA3C
Session-ID-ctx:
Resumption PSK:
B80A77F145CEF83FDE1C7A7EA45798F68B86B99670DB927F33403EEA4F39C0E8F9FC19F4079CD97A76F02A28E7A5BD55
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - af 5b 48 ea 6a a1 fb de-42 7a 2e 6e 3b b2 8d b1 .[H.j...Bz.n;...
0010 - 04 6a d8 82 b7 b2 f2 24-23 49 0a 01 17 31 03 f8 .j.....$#I...1..
0020 - d8 1b 4f 89 49 86 18 79-34 be 4a 83 29 a1 f9 23 ..O.I..y4.J.)..#
0030 - 36 15 00 63 67 4b 9e 6e-e0 c8 d7 c4 e6 17 10 df 6..cgK.n........
0040 - 62 1c 80 f4 b0 a1 b1 30-3c cb 57 15 c3 57 0e 8d b......0<.W..W..
0050 - 97 e8 21 ac a5 91 9f c4-4d 58 0c 03 1f 1f 85 33 ..!.....MX.....3
0060 - 4d 43 ba 59 c0 23 a4 24-74 24 26 39 3d 04 14 ba MC.Y.#.$t$&9=...
0070 - 91 1d 46 56 51 ea 25 83-a4 69 8b 6c 55 96 dd 8b ..FVQ.%..i.lU...
0080 - ab 0a 05 ed e5 14 dc b2-eb 09 0e 2d e7 e8 e5 7f ...........-....
0090 - 98 56 0f 3a de 68 22 9b-68 60 c0 18 4f 32 43 64 .V.:.h".h`..O2Cd
00a0 - 63 26 b2 2e 27 e8 ff 1e-71 c5 71 0e 9e ad c9 a8 c&..'...q.q.....
00b0 - 4d 94 f6 7b 5e 82 14 50-0c c0 6e a1 15 1d 93 6a M..{^..P..n....j
00c0 - 10 d2 b8 95 61 d6 2a 63-4b 8b 6d 3d d3 bf b6 75 ....a.*cK.m=...u
00d0 - e3 4e 3e e4 5d 96 ce 98-6d cb c6 bd 4c 20 63 30 .N>.]...m...L c0
Start Time: 1720983567
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1AEF43A9993E9BA5A1A0844712A568353FA9F4AC61ECEA7A0E0F0AB16727DE74
Session-ID-ctx:
Resumption PSK:
857E108EDF8AFED4B984061182278E7E5A81AA950D699403321E0AF52985249545010623DAD2C458D8AED832CBB426BF
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - af 5b 48 ea 6a a1 fb de-42 7a 2e 6e 3b b2 8d b1 .[H.j...Bz.n;...
0010 - 20 7a 44 0f 66 23 7b 62-83 bd 6a 83 20 4f 8f 4e zD.f#{b..j. O.N
0020 - 08 47 71 7c c1 dd 44 22-ea 28 9d 4d 58 f5 02 29 .Gq|..D".(.MX..)
0030 - 5d 78 e6 63 81 a6 1e ea-67 00 77 2e 03 8c 15 2f ]x.c....g.w..../
0040 - 31 d5 a8 c2 3a ce 7c de-d4 a4 b3 cd 75 6c 0b 61 1...:.|.....ul.a
0050 - cb be 3f a4 84 59 f5 58-6d bc 50 f7 e6 2a f3 11 ..?..Y.Xm.P..*..
0060 - 79 c6 22 f4 f3 a0 d6 38-50 4d 3a 38 ca e7 6c c3 y."....8PM:8..l.
0070 - 87 5f c9 bb 29 87 f3 76-26 3e 94 a7 03 9a a9 22 ._..)..v&>....."
0080 - 8f c2 85 64 c9 d4 e2 37-23 31 27 68 2a e9 8f 21 ...d...7#1'h*..!
0090 - 7b 39 51 49 53 6f 32 eb-39 e8 9e 53 dd eb c7 a0 {9QISo2.9..S....
00a0 - 71 e5 bf 6d 23 2a 05 a2-4d 78 cd 28 bf 11 87 28 q..m#*..Mx.(...(
00b0 - ec b1 a3 14 0b 3e 40 df-0d a6 5c e9 35 81 c1 54 .....>@...\.5..T
00c0 - a4 2f e5 6d 91 19 22 33-00 7d 4b 4d e8 a5 7c bd ./.m.."3.}KM..|.
00d0 - 47 b7 77 ae 60 cd f0 75-64 86 14 aa 88 af 1c e9 G.w.`..ud.......
Start Time: 1720983567
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
220 smtp.hostedemail.com ESMTP
~ (2013)# openssl s_client -connect cygwin.com:443
CONNECTED(00000004)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = cygwin.com
verify return:1
---
Certificate chain
0 s:CN = cygwin.com
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 21 03:00:17 2024 GMT; NotAfter: Aug 19 03:00:16 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGjCCBAKgAwIBAgISAwM/swNgjWg7bXYzb60MO8jWMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA1MjEwMzAwMTdaFw0yNDA4MTkwMzAwMTZaMBUxEzARBgNVBAMT
CmN5Z3dpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7v0od
pvhtkoAmsnV2AZ0zXprunp8DizcQOaOhtZLCwT3XaT/20Jz8se0D1wDNdnTp4Xzk
g6m88aYetajI277+qWNLPjGrbGBGh2GsAKNNfgVCdjDB4wBUjm/Nejyw66MezA/z
qfcRQs2a90OQW2KksUicx/fDPzfrnLg797D3eAv82/1wCXQFrXKsanSBVSDXpkZU
2oEcQqNJWsCiZ4y8OVrr+WABmTCjq+RPXvjP7I900LhCS1v15PY1JhKMuks9hMZ4
s+/eKfMR3y1jw+jIOX8/mLChdYV5vdY6WPtkoOoIXPTztv5rFRgYDwjQrNvMN5Ei
UgsdHJbRdN9VrFh3AgMBAAGjggJFMIICQTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FExts9Uea+ff6l2W+CqyZ6enOgxmMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvME0G
A1UdEQRGMESCCmN5Z3dpbi5jb22CCmN5Z3dpbi5uZXSCCmN5Z3dpbi5vcmeCDmZ0
cC5jeWd3aW4uY29tgg53d3cuY3lnd2luLmNvbTATBgNVHSAEDDAKMAgGBmeBDAEC
ATCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AEiw42vapkc0D+VqAvqdMOscUgHL
Vt0sgdm7v6s52IRzAAABj5lOnv8AAAQDAEcwRQIgbQ9J7FFCYg18MjYAUaZTc9nu
RdDvBuV0j1zoXkeVA0ACIQCAXsW4f/n74Ar/1rFj5Y3qsJ65tAhCKM4dnetuh/0q
yAB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABj5lOptMAAAQD
AEgwRgIhAK94RHriWwEx0passlYfy8WQ5jhf3qgydgzUqYc3HvXrAiEAuOftp9ET
UTkcJoF7b8ikBl1SBPozzV/yEEmwSjdViLgwDQYJKoZIhvcNAQELBQADggEBALZd
Qbyrr2yFYYQsJ9wceiVRCiTcdCElaVtTa0VZRKgdZb3tq7C6VDzMXZfrZkEiZLlK
i6rcf+ulSiVBMVCpPgealXvFXkodCT/5mhchXjTzxH3d//A57LPKlJHU1aa6brRP
dlhrL2lcmV7uyfnS1ANYoefA/iyoiaeKsbTmc83ccSk4vNa/W4H48XVg4a5s5Fzw
g2NgPy6Ni3U5sxRqneUK37cxBdXe/wPE1B7Q/4Ms12gro9IQyxMsboz4u1zOqpeo
qo5OpPPb2x+f1kurQ9x8vEIrdBYYkZf1D6NTXWdY5ti12Klxmp8W0clGA1moqo27
b+gKewR74PW44f0ToXw=
-----END CERTIFICATE-----
subject=CN = cygwin.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3296 bytes and written 425 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 931F9282F0585331265F3794080799359859AA0FEEEAA9C20F98199905EB7F89
Session-ID-ctx:
Master-Key:
63A10CBB47A212825E4943DD6ACF879EAB7892CEDE672B72D0BF51CF2CD07C865C323248139E192FC776675C040CDC46
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5c d1 d2 c4 14 97 f3 47-25 35 0c 19 4b 24 ed 6f \......G%5..K$.o
0010 - 90 54 7d 10 32 88 d5 c4-4a f0 88 11 09 6f ef fb .T}.2...J....o..
0020 - dd 91 dc 3d 24 db 49 07-47 38 9d e5 09 c0 e6 f6 ...=$.I.G8......
0030 - 89 e8 d2 67 55 d5 ff 2e-20 2e 42 80 98 35 a6 81 ...gU... .B..5..
0040 - 5c f8 88 cc d0 3f 05 78-72 8c 52 8a 13 79 68 50 \....?.xr.R..yhP
0050 - f6 04 75 55 83 b8 9d 4e-20 39 e5 aa aa 39 07 44 ..uU...N 9...9.D
0060 - f0 75 2e 75 fa 97 70 5c-b6 09 1a 31 9e 9a d8 93 .u.u..p\...1....
0070 - 15 4f 1b d3 df aa be dd-0f c1 24 15 32 49 d0 db .O........$.2I..
0080 - ff ce f2 af fa 1f 65 30-b8 fd a0 f0 10 f9 bf 41 ......e0.......A
0090 - 79 39 df 79 c0 94 ed 0b-89 cb 83 91 98 d8 27 bc y9.y..........'.
00a0 - 5c 44 d4 1a 72 ac d1 78-57 3d 2c 94 bd 4d fd 78 \D..r..xW=,..M.x
00b0 - cd 67 c1 07 19 9f d4 66-7d b4 a1 66 b8 bf 9b 24 .g.....f}..f...$
00c0 - b3 07 55 84 03 5d 2b 84-db 2e 98 33 b8 3c ef 47 ..U..]+....3.<.G
Start Time: 1720983597
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
--8<---------------cut here---------------end--------------->8---
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
