LE/DST expired root: workaround #2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

	https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

^^ This document indicates that, by enabling trusted-first mode, I should be able to work around the LE expiration problem.

I’m either misunderstanding this or “holding it wrong”, though, because I can’t see that setup making any difference.

I’ve got a chain with:
1) leaf cert (felipegasper.com)
2) Let’s Encrypt R3
3) … and the cert called “ISRG Root X1” that is *not*, in fact, a root cert

Cert #3 in the above is issued by the now-expired “DST Root CA X3”, so including it (understandably) “misleads” `openssl verify` into looking into its root store for that cert’s issuer, which causes a verification failure.

I notice, though, that connection handshakes succeed despite the non-self-signed “ISRG Root X1” being part of the sent chain.

Is there a way I can make `openssl verify` behave the same way as connection handshakes? So the 3 certs I have in my chain will pass OpenSSL’s dedicated verification logic?

Thank you!

cheers,
-Felipe Gasper



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux