On Tuesday, 5 October 2021 10:29:09 PDT maitai wrote: > Hi all, > > Since the Let's Encrypt root certificate expired, we have a few users > unable to initiate a SSL connexion (most of them on recent Windows 10 > version, app built with qt 5.15.6, but also some linux cases). We are > using OpenSSL 1.1.1.
Being slightly pedantic for future reference: no Let's Encrypt CA certificate expired. What expired was one of the root certificates that signed Let's Encrypt. It's not the only certificate, so Let's Encrypt continues to be valid. > After some searches, we found out that the ca-certificates list is empty > in that cases. In some Linux occurrences, the list becomes "loaded" > after around 10 minutes, and all was fine until the user restarts the > application. In some other cases waiting does nothing to fix the issue. We don't pre-load the CA certificate list and haven't done that for years. We rely on OpenSSL loading exactly the certificates it needs on its own. > I am still scratching my head about this though. Isn't it supposed to be > useless to do that? Any insight on what is going on there will be > appreciated. Needs investigation. I don't understand what's wrong either. In my case, I noticed that one application on my Android phone was complaining of an expired certificate for my server. After debugging a lot, I found that my IMAP server (Cyrus) was including the expired certificate in the list of certificates it sent the client, but the SMTP and HTTPS servers weren't. So I worked to hack the OpenSSL certificate database so it wouldn't send it. It didn't work. As far as I can tell, in this case, the client application found the expired signing certificate in its own database and decided to complain, despite having another path to a valid root certificate. But this points to the possible problem: it might depend on whether the server is including this expired certificate in the connection negotiation or not. You can test with "openssl s_client -connect host:port -showcerts" and decode each one of the ones printed with "openssl x509 -text -noout" to see if the expired one is present or not. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel DPG Cloud Engineering _______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
