On Wed, 6 Oct 2021, Hamish Moffatt via Interest wrote: > The OpenSSL blog writes that this unfortunately doesn't happen with > 1.0.2 though - it sees the expired root and gives up. > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
http://www.mirbsd.org/cvs.cgi/src/lib/libssl/src/crypto/x509/x509_vfy.c.diff?r1=1.5;r2=1.6 This is what I applied to MirBSD’s SSL. Apparently, OpenSSL does not always trust the local store? They seem to be making it dependent on X509_V_FLAG_TRUSTED_FIRST. With this patch, local files in /etc/ssl/certs/ have precedence. bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg **************************************************** /⁀\ The UTF-8 Ribbon ╲ ╱ Campaign against Mit dem tarent-Newsletter nichts mehr verpassen: ╳ HTML eMail! Also, https://www.tarent.de/newsletter ╱ ╲ header encryption! **************************************************** _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest