Skip to Content [alt-c]


In reply to Fixing the Breakage from the AddTrust External CA Root Expiration

Anonymous on 2020-05-30 at 20:04:

I am not certain that the following statement is always true:

Fortunately, OpenSSL 1.0.x and GnuTLS only choke on the expired intermediate if the AddTrust External CA Root root is in the local trust store.

On my RHEL and Fedora systems, removing AddTrust External CA Root from my trust stores by following Christian Heimes' twitter link in your post, indeed resolved the openssl s_client -connect test which no longer shows an error but wget which is compiled with GnuTLS still returns the "is not trusted" error, when testing connection to servers that did not remove the expired intermediate certificate issued by AddTrust External CA Root from their certificate chain.

Am I missing something?


Post a Reply

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.