Just wondering what the advice will be for Android mobile clients to workaround this for 3rd party APIs. Does this get fixed by adopting the Google Play Provider? Does that get updated CA certs?
Or is only workaround to ask clients to ship additional CA cert that they install in addition to the system certs?
Essentially if you were to write the stackoverflow answer for the mobile app devs who will be impacted by this, what would you write?
I've raised https://github.com/square/okhttp/issues/6403 to workout what we can advise when it get's raised. It seems like a similar case to Sectigo expiry earlier this year, adopting Conscrypt Android was a fix there because it was cross signed (IIUC) but older Android VMs were tripping anyway.