On 11/03/2020 17:08, Niki Dinsey wrote: > As for going back to the software vendor, I absolutely want to but don't > hold out too much hope they will change anything. > I'm basically going to say this: > > The certificate chain contains two redundant root certificates, these > should be removed as there is no need to send root certificates and > because they are signed with SHA1 stricter servers like Debian are > dropping the connection. Replace "stricter servers" with "stricter clients". You might like to point them to my email explaining the issue in more detail: https://mta.openssl.org/pipermail/openssl-users/2020-March/012006.html > > Does that sound about right? > > As for the conversation with Viktor, it's all over my head! Can I just > ignore and get back to work? Thanks again Yes - ignore it. Viktor is suggesting that the unknown server that is being used might actually be OpenSSL - in which case we might want to make a change to our code so that it is more tolerant of this mis-configuration. It makes no difference to you though. Matt > > Niki > > On Wed, 11 Mar 2020 at 15:33, Viktor Dukhovni > <openssl-users@xxxxxxxxxxxx <mailto:openssl-users@xxxxxxxxxxxx>> wrote: > > On Wed, Mar 11, 2020 at 11:31:51AM -0400, Viktor Dukhovni wrote: > > > I think the server could be OpenSSL, because why I made sure that > > s/why/while/. > > > self-signed CA signatures are not subjected to security levels in > > x509_vfy.c, the same exclusion does not appear to be present in: > > > > int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, > int is_ee) > > [...] > > -- > Viktor. > > > > -- > Niki Dinsey > IS Manager > 07974 214718 > 01235 849061 (x261) > > Save the date: Abingdon's first 24hr *Giving Day - 18 March 2020*. > Help support our ambition to double the number of bursaries across the > Foundation. > > <http://www.150givingday.abingdon.org.uk> > > > Abingdon School: A company limited by guarantee Registered in England > and Wales. Company No. 3625063 > > Registered Office: > Abingdon School > Park Road > Abingdon > OX14 1DE > Registered Charity No. 1071298 > > All information in this message and attachments is confidential and may > be legally privileged. Only intended recipients are authorised to use > it. E-mail transmissions are not guaranteed to be secure or error free > and the sender does not accept liability for such errors or omissions. > The company will not accept any liability in respect of such > communication that violates our ICT policies.
