Re: [ATTN] ca-certificates-letsencrypt maintainer

Sun, 14 Jul 2024 18:40:25 -0700 

On 2024-07-14 13:46, ASSI via Cygwin-apps wrote:

Brian Inglis via Cygwin-apps writes:

Re-installed last ca-certificates-letencrypt package and cygport
announce and git send-email are working again.


Then keep it installed one or two months longer, but I will not revive
that package.  The original problem with the R3 cross-signed through X3
went away at least a year ago already and the last R3 signed
certificates (that don't have this problem) should expire somewhere in
the next two or three months latest.  New certificates should be signed
by R10 or R11 already.


Sorry Achim,


But given that the Cygwin certs appear that they may require some of these, and 
does not expire until mid-August, might it not have been better to keep the 
package around until after then?



Some unexpired letsencrypt certificates should probably have been
migrated to ca-certificates or left in ca-certificates-letencrypt?


Nope.


so were any DigiCert certs harmed in the making of this package? ;^>


Bollocks.  If installing ca-certificates-letencrypt fixes it for you,
then it's either an old TrustID X3 or Let's Encrypt R3 certificate
(probably the latter) somewhere in the cert chain _plus_ an openssl
earlier than 1.2 (as these had a bug in cert validation that gets
triggered during validation of a cross-signed a CA).



I do not know how to figure out what is in these cert packages, and what 
correlation is significant between those, my email server, cygwin/sourceware 
email server, cygport pkg_upload(__pkg_announce) and git send-email.



Anyway, the current openssl has no problems with either of the servers
you mentioned:



It seems to me that both /usr/share/cygport/lib/pkg_upload.cygpart 
__pkg_announce() and /usr/libexec/git-core/git-send-email send_message() have 
Net::SMTP::SSL in common: those perl modules and dependencies all seem to be 
5.36, and I have no idea how they link to OpenSSL, but could they eventually 
link to the old OpenSSL 1.1.1w, and could that be causing an issue?


--
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                -- Antoine de Saint-Exupéry






















					Reply via email to