https://bugs.kde.org/show_bug.cgi?id=447572
--- Comment #6 from Stefaan <stefaa...@hotmail.com> --- I'm referring back to the LetsEncrypt certificate issue for "Android operating systems prior to 7.1.1", as discussed in https://letsencrypt.org/2020/12/21/extending-android-compatibility.html If GCompris is using OpenSSL instead of android's internal https support, could it be that the workaround "This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors. " (as mentioned on that page) they're using to enable "ISRG Root X1" on pre-7.1.1 devices, doesn't kick in for GCompris? The workaround seems to rely on "DST Root CA X3" not being treated as expired by Android, even though in reality, it has expired (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/). Using Chrome's certificate viewer on cdn.kde.org, I can indeed confirm that "DST Root CA X3" is being used to trust "ISRG Root X1", then "R3" and then the site's "1088045785.rsc.cdn77.org" So, I've taken the liberty of theorizing further: - the basic problem is that pre-7.1.1 devices don't know about the "ISRG Root X1" certificate and hence don't trust it. - the workaround that works on the Android system, doesn't kick in for GCompris, because it manages its certificate validation independently, but probably still uses the root certificates as shipped with the Android system - if GCompris would ship the "ISRG Root X1" certificate (as application data), and enable it, that could solve the problem, and would not harm security in any way - GCompris could do this by (pseudo-code): { auto sslConfig = QSslConfiguration::defaultConfiguration(); sslConfig.addCaCertificate(QSslCertificate(QFile("path to ISRG Root X1 certificate file (in pem format)")); QSslConfiguration::setDefaultConfiguration(sslConfig); } - and subsequent calls to QNetworkAccessManager::get(...) (as on line 229 in DownloadManager.cpp) would then use the augmented ssl configuration? Does my theory/analysis make sense? -- You are receiving this mail because: You are watching all bug changes.
