Help thread for DST Root CA X3 expiration (September 2021)

Nummer378 · July 5, 2021, 8:38pm

There are quite a few TLS implementations out there (mostly non-browser things: Older OpenSSL, GnuTLS, LibreSSL...) that will always validate up to the highest certificate in the chain:

Questions re: Extending Android Device Compatibility

Specifically, from what I believe to know (not exactly 100% sure though), old versions of OpenSSL (and GnuTLS) always validate up to the highest certificate in the chain, even if they should know that an intermediate is a valid trusted root. I think they don't have an "early return" like modern browsers, where validation is simply stopped as soon as a trust anchor is reached.

There are blog posts (or things discussed on various bugtrackers ) that sound like trouble could happen with OpenSSL and GnuTLS as soon as DST Root CA X3 has expired. The cross-sign signature on ISRG Root X1 will still be valid, but if a client validates up to DST Root CA X3 after it has expired AND checks the expiry date (which isn't done by Android, but maybe OpenSSL/GnuTLS does?) validation will fail. This could apply EVEN if ISRG Root X1 is in the trust store, so validation without the cross-sign will work normally, but with the compatibility extension these devices will fail handshakes starting in late 2021+?

The behaviour mentioned above applies for example to OpenSSL < 1.1, < mid-2020 GnuTLS & LibreSSL and probably over two dozen embedded TLS implementations.