[aklug] [nuga] multiple TLS up/download workflows broken by expiration of AddTrust External CA Root

Royce Williams royce at tycho.org
Sat May 30 08:54:19 AKDT 2020


Andrew Ayer (the SSLMate guy, knows his TLS stuff) wrote up a really good
explainer here:

https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration

-- 
Royce


On Sat, May 30, 2020 at 8:00 AM Royce Williams via groups.io
<royce.williams=gmail.com at groups.io> wrote:

>
> Be aware that multiple platforms are being affected today by the
> expiration of the "AddTrust External CA Root" cert (https://crt.sh/?id=1
> ).
>
> If you're getting weird failures when pulling something from an API, or
> when updating packages - anything with a download in the workflow - and it
> breaks in a weird way today, get under the hood and see if the cert is
> failing validation.
>
> The fix for appliances will likely be updating firmware, though there may
> be a chicken-and-egg problem where the download of the firmware itself will
> fail because validation of the upstream TLS cert is broken.
>
> The fix for self-made devices/servers, updating curl or OpenSSL to be able
> to properly validate the chain may work.
>
> GnuTLS appears to be broken more deeply, no recommendation there yet.
>
> Follow @sleevi_ (Ryan Sleevi, Google TLS security person) on Twitter for
> developing info, specifically this thread:
>
> https://twitter.com/sleevi_/status/1266647545675210753
>
> Known affected platforms so far include pfSense, OVH, Datadog, etc.
>
> pfSense is aware of the issue, see this thread:
>
>
> https://forum.netgate.com/topic/154033/unable-to-download-available-package-list-cert-expired/5
>
> --
> Royce Williams
> Tech Solvency
> _._,_._,_
> ------------------------------
> Groups.io Links:
>
> You receive all messages sent to this group.
>
> View/Reply Online (#419) <https://groups.io/g/nuga/message/419> | Reply
> To Group
> <nuga at groups.io?subject=Re:%20%5Bnuga%5D%20multiple%20TLS%20up%2Fdownload%20workflows%20broken%20by%20expiration%20of%20AddTrust%20External%20CA%20Root>
> | Reply To Sender
> <royce.williams at gmail.com?subject=Private:%20Re:%20%5Bnuga%5D%20multiple%20TLS%20up%2Fdownload%20workflows%20broken%20by%20expiration%20of%20AddTrust%20External%20CA%20Root>
> | Mute This Topic <https://groups.io/mt/74565994/548220> | New Topic
> <https://groups.io/g/nuga/post>
>
> Your Subscription <https://groups.io/g/nuga/editsub/548220> | Contact
> Group Owner <nuga+owner at groups.io> | Unsubscribe
> <https://groups.io/g/nuga/leave/1150102/107963826/xyzzy> [
> royce.williams at gmail.com]
> _._,_._,_
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20200530/b1b293ff/attachment.htm>


More information about the aklug mailing list