On 2022-02-21, Hugo Villeneuve <h...@eintr.net> wrote: > 2. > Connecting to "https://ftp.openbsd.org/pub/OpenBSD/"; or > "https://www.openbsd.org/"; on older release: > > Both web site INSIST on including the intermediary certificate: > > 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > > by their http web server (they have the same certificate provider).
> This force you to check against the > "/O=Digital Signature Trust Co./CN=DST Root CA X3" certificate in > /etc/ssl/cert.pem. > > Which expired in September 2021. > > Both web site SHOULD stop offering that certificate as intermediary. This is the standard chain that letsencrypt recommends people use. It allows connections from old Java and Android (which are often hard to get updated) even if they don't have the new root in their trust store, at the expense of preventing connections from old OpenSSL/LibreSSL (which OTOH are often easier to get updated, plus the people who need to update them are slightly more likely to know what they're doing than people stuck on old Android). > And simply stop at: > > 1 s:/C=US/O=Let's Encrypt/CN=R3 > i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 > > Because "subject:C=US/O=Internet Security Research Group/CN=ISRG Root X1" > is already a valid CA installed everywhere. It's by no means installed everywhere yet. Many places, sure... -- Please keep replies on the mailing list.
