On 2021-01-07 01:48, Aaron Gable wrote:
As mentioned in the blog post, and as we'll elaborate on further in an upcoming post, one of the drawbacks of this arrangement is that there actually is a class of clients for which chaining to an expired root doesn't work: versions of OpenSSL prior to 1.1. This is the same failure mode as various clients ran into on May 30th of 2020, when the AddTrust External CA root expired.
I'm not sure why you mention OpenSSL prior to 1.1. There was a bug in 1.1.1h that no longer checked for expired roots, but it was fixed in 1.1.1i. OpenSSL has no plan to allow expired roots by default.
Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy