[aklug] [nuga] multiple TLS up/download workflows broken by expiration of AddTrust External CA Root
royce at tycho.org
Sat May 30 08:54:19 AKDT 2020
Andrew Ayer (the SSLMate guy, knows his TLS stuff) wrote up a really good
On Sat, May 30, 2020 at 8:00 AM Royce Williams via groups.io
<royce.williams=gmail.com at groups.io> wrote:
> Be aware that multiple platforms are being affected today by the
> expiration of the "AddTrust External CA Root" cert (https://crt.sh/?id=1
> If you're getting weird failures when pulling something from an API, or
> when updating packages - anything with a download in the workflow - and it
> breaks in a weird way today, get under the hood and see if the cert is
> failing validation.
> The fix for appliances will likely be updating firmware, though there may
> be a chicken-and-egg problem where the download of the firmware itself will
> fail because validation of the upstream TLS cert is broken.
> The fix for self-made devices/servers, updating curl or OpenSSL to be able
> to properly validate the chain may work.
> GnuTLS appears to be broken more deeply, no recommendation there yet.
> Follow @sleevi_ (Ryan Sleevi, Google TLS security person) on Twitter for
> developing info, specifically this thread:
> Known affected platforms so far include pfSense, OVH, Datadog, etc.
> pfSense is aware of the issue, see this thread:
> Royce Williams
> Tech Solvency
> Groups.io Links:
> You receive all messages sent to this group.
> View/Reply Online (#419) <https://groups.io/g/nuga/message/419> | Reply
> To Group
> <nuga at groups.io?subject=Re:%20%5Bnuga%5D%20multiple%20TLS%20up%2Fdownload%20workflows%20broken%20by%20expiration%20of%20AddTrust%20External%20CA%20Root>
> | Reply To Sender
> <royce.williams at gmail.com?subject=Private:%20Re:%20%5Bnuga%5D%20multiple%20TLS%20up%2Fdownload%20workflows%20broken%20by%20expiration%20of%20AddTrust%20External%20CA%20Root>
> | Mute This Topic <https://groups.io/mt/74565994/548220> | New Topic
> Your Subscription <https://groups.io/g/nuga/editsub/548220> | Contact
> Group Owner <nuga+owner at groups.io> | Unsubscribe
> <https://groups.io/g/nuga/leave/1150102/107963826/xyzzy> [
> royce.williams at gmail.com]
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the aklug