Cryptography Fun On The Internet Today (SSL certificates)

Let me cut right to the chase: a long-planned LetsEncrypt certificate expiration happened today, and it’s causing lots of havoc around the Internet. You may be experiencing certificate errors, which might look something like this:

depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired

This is happening because of a bug in pre-1.1.x OpenSSL (and in LibreSSL, which is based on old OpenSSL, and is for some reason what’s claiming the OpenSSL spot on my MacOS). OpenSSL wasn’t properly validating certificate chains (it assumes, in effect, that they’re linear, and that the first path through them that leads to a trust anchor is the only one that matters, whether or not other viable paths exist).

What you probably want to do here is update your image to run newer OpenSSL.

Our friends at Tailscale have some additional advice for dealing with things like apt-get if they act up:

In other Internet cryptography news, Slack briefly enabled DNSSEC today, and as a result fell off the Internet completely. It’s been a fun day for Internet cryptography! Don’t use DNSSEC!

Yours in X.509 graph traversal.,

Thomas.

5 Likes