On 6/10/21 20:02, Christophe Thomas wrote:
Thank you for the hint, I found this link that talks about it:
https://community.letsencrypt.org/t/isrg-root-lazy-loading-problem-missing-from-random-updated-windows-10-versions/141550/2
We've also tested on an old linux (ubuntu 16),
when trying to connect one test website, openssl is not finalizing the
connection due to expired DST Root X3, and we can see that the chain is
website cert => ISRG X1 root => DST Root X3
doing the same test with our own software (that uses our own shipped
lib for openssl) from scratch we fail and we can see we use the same
chain as above.
Third test still with our software but forcing loading the ca cert
before first connexion (see first email from maitai =>
def.setCaCertificates(QSslConfiguration::systemCaCertificates());)
In this case we still have the same chain reported, but with DST Root
X3 expire in 2024 and the connexion is OK
Also on this device, we find the ISRG_Root_X3.pem that is expired.
We still support an old version of our app shipped with Qt 5.8 and
OpenSSL 1.0.1. This stopped working when the X3 root expired, as expected.
I upgraded to 1.0.2u and added the X1 root directly to Qt. Now the
application works. But the instructions from OpenSSL say to also remove
the X3 root which I'm not able to do (it's loaded from Windows), so I am
puzzled by why this works. I have not done anything special when
generating my certificates like requesting the alternate certificate chain.
I have Qt 5.15 (OpenSSL 1.1) applications deployed on Debian 10 and have
not had to do anything to keep that working.
Hamish
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
