![]() Including the Root CA in such chains is allowed, but not required, and in this case appears to break certificate validation.Įdit: This is part of a series of issues around the "AddTrust External CA Root" expiration. My hypothesis would be that the problem is caused by the sites sending the expired Root CA certificate as part of their certificate chain. I suppose cURL is at least somewhat involved in the problem, since I couldn't get the connections to fail using /usr/bin/openssl s_client ( /usr/bin/openssl is actually built from LibreSSL). However, something appears to causing cURL or LibreSSL to prefer the old certificates for its validity check. The built-in cURL variant of macOS 10.14 is built against LibreSSL and uses /etc/ssl/cert.pem as its Root CA store, which also includes the new certificates. from MacPorts or Homebrew), which are built against custom OpenSSL installations. The same is true for most variants of cURL (e.g. These certificates are part of the common Root CA stores these days (including Apple's system trust store), therefore browsers establish the connections perfectly fine. Now, updated certificates (sharing their private keys with the expired ones) have been issued back in 2010 ( Comodo, USERTrust). Therefore, their expiration date was determined by the validity of the "AddTrust External CA Root" certificate, which also happens to have expired at the exact same second. While I find it remarkable that two different Root CA certs would expire at the exact same second, this may be explained by USERTrust being affiliated with Comodo (now Sectigo).Įdit: These two actually never were Root CA certificates, but rather intermediate CAs signed by "AddTrust External CA Root". ![]() Root CA certificates used by the mentioned sites ( Comodo and USERTrust) have expired this morning (UTC time).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |