[Interest] SSL & Let's Encrypt certificate expiration
Christophe Thomas
oxygen77.ct at gmail.com
Wed Oct 6 11:02:04 CEST 2021
Thank you for the hint, I found this link that talks about it:
https://community.letsencrypt.org/t/isrg-root-lazy-loading-problem-missing-from-random-updated-windows-10-versions/141550/2
We've also tested on an old linux (ubuntu 16),
when trying to connect one test website, openssl is not finalizing the
connection due to expired DST Root X3, and we can see that the chain is
website cert => ISRG X1 root => DST Root X3
doing the same test with our own software (that uses our own shipped lib
for openssl) from scratch we fail and we can see we use the same chain as
above.
Third test still with our software but forcing loading the ca cert before
first connexion (see first email from maitai => def.setCaCertificates(
QSslConfiguration::systemCaCertificates());)
In this case we still have the same chain reported, but with DST Root X3
expire in 2024 and the connexion is OK
Also on this device, we find the ISRG_Root_X3.pem that is expired.
So this is a bit puzzling
Christophe
Le mer. 6 oct. 2021 à 02:06, Hamish Moffatt via Interest <
interest at qt-project.org> a écrit :
> On 6/10/21 06:13, Thiago Macieira wrote:
> > On Tuesday, 5 October 2021 11:45:23 PDT Christophe Thomas wrote:
> >> For the cert chain we are currently using the default LE setting so we
> >> currently provide the X1 Cross signed with expired X3.
> >>
> >> Netherless, the issue is that strangely we need to force caCertificate
> load
> >> in order to have the connexion accepted.
> > In the client's system, is the ISRG Root X1 certificate present? Can you
> check
> > with plain openssl s_client command to see if the problem is OpenSSL?
> >
>
> We have had some difficulty here with Windows 10's "lazy loading" of the
> root certificates. Unless users have been to a site that uses the ISRG
> X1 root certificate using Chrome or Edge, they do not have this
> certificate and it is not available to Qt. As soon as they visit a site
> that uses the new root in Chrome or Edge, Windows loads the certificate
> and it works in Qt.
>
>
>
> Hamish
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20211006/1359b462/attachment-0001.html>
More information about the Interest
mailing list