<div dir="ltr">Andrew Ayer (the SSLMate guy, knows his TLS stuff) wrote up a really good explainer here:<div><br></div><div><a href="https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration">https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration</a></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">-- </div><div dir="ltr"><span style="font-size:12.8px">Royce</span><br></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, May 30, 2020 at 8:00 AM Royce Williams via <a href="http://groups.io">groups.io</a> <royce.williams=<a href="mailto:gmail.com@groups.io">gmail.com@groups.io</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div>Be aware that multiple platforms are being affected today by the expiration of the "<span style="font-family:"Roboto Mono",sans-serif;font-size:13.3333px">AddTrust External CA Root" cert (</span><a href="https://crt.sh/?id=1" target="_blank">https://crt.sh/?id=1</a>). <div><br><div>If you're getting weird failures when pulling something from an API, or when updating packages - anything with a download in the workflow - and it breaks in a weird way today, get under the hood and see if the cert is failing validation.<br><br>The fix for appliances will likely be updating firmware, though there may be a chicken-and-egg problem where the download of the firmware itself will fail because validation of the upstream TLS cert is broken.<br><br>The fix for self-made devices/servers, updating curl or OpenSSL to be able to properly validate the chain may work.<br><br>GnuTLS appears to be broken more deeply, no recommendation there yet.<br><br>Follow @sleevi_ (Ryan Sleevi, Google TLS security person) on Twitter for developing info, specifically this thread:</div><div><br></div><div><a href="https://twitter.com/sleevi_/status/1266647545675210753" target="_blank">https://twitter.com/sleevi_/status/1266647545675210753</a><br><br>Known affected platforms so far include pfSense, OVH, Datadog, etc.</div><div><br><div>pfSense is aware of the issue, see this thread:</div><div><br></div><div><a href="https://forum.netgate.com/topic/154033/unable-to-download-available-package-list-cert-expired/5" target="_blank">https://forum.netgate.com/topic/154033/unable-to-download-available-package-list-cert-expired/5</a><br></div><div><br></div><div><div dir="ltr"><div dir="ltr"><div>-- </div><div>Royce Williams<br>Tech Solvency</div></div></div></div></div></div></div>
<div width="1" style="color:white;clear:both">_._,_._,_</div>
<hr>
Groups.io Links:<p>
You receive all messages sent to this group.
</p><p>
<a href="https://groups.io/g/nuga/message/419" target="_blank">View/Reply Online (#419)</a> |
<a href="mailto:nuga@groups.io?subject=Re:%20%5Bnuga%5D%20multiple%20TLS%20up%2Fdownload%20workflows%20broken%20by%20expiration%20of%20AddTrust%20External%20CA%20Root" target="_blank">Reply To Group</a>
| <a href="mailto:royce.williams@gmail.com?subject=Private:%20Re:%20%5Bnuga%5D%20multiple%20TLS%20up%2Fdownload%20workflows%20broken%20by%20expiration%20of%20AddTrust%20External%20CA%20Root" target="_blank">Reply To Sender</a>
|
<a href="https://groups.io/mt/74565994/548220" target="_blank">Mute This Topic</a>
| <a href="https://groups.io/g/nuga/post" target="_blank">New Topic</a><br>
<br>
<a href="https://groups.io/g/nuga/editsub/548220" target="_blank">Your Subscription</a> |
<a href="mailto:nuga+owner@groups.io" target="_blank">Contact Group Owner</a> |
<a href="https://groups.io/g/nuga/leave/1150102/107963826/xyzzy" target="_blank">Unsubscribe</a>
[<a href="mailto:royce.williams@gmail.com" target="_blank">royce.williams@gmail.com</a>]<br>
</p><div width="1" style="color:white;clear:both">_._,_._,_</div>
<p></p><p></p></blockquote></div>