Hey,
On Fri, 2021-10-01 at 14:12 +0200, Julien Cristau wrote: > On Fri, Oct 01, 2021 at 10:14:27AM +0200, Sjoerd Simons wrote: > > Package: ca-certificates > > Version: 20210119 > > Severity: normal > > > > This is a similar situation as #961907. The DST Root CA X3 > > certificate in > > ca-certificates has expired, which is a signer for "ISRG Root X1", > > which in > > turn i used by Letsencrypt. This causes some (older?) SSL > > implementation to > > mark letsencrypt certificates as expired even though there is a > > trusted valid > > "intermediate" > > > Which implementations are affected? I know of openssl 1.0.2, which > is > not in any supported Debian release. Are recent versions of gnutls > affected by this bug? Recent versions aren't; For the ones in Debian itself it seems this last was an issue with the gnutls version in Jessie (which is out of LTS, but in ETLS). So the issues mainly crop-up with application that have embedded (older) ssl stack but use the system certificates. Given that blacklisting the cert seems easy to do and afaik doesn't have any real downsides it's probably still a good thing to do even if it's less relevant for debian by now? -- Sjoerd Simons <sjo...@debian.org>
