Thanks guys. Using -servername does return correct server. Apparently macOS monterey's openssl is old. I could have sworn that I recently got LE details without -servername but must have been from a different OS.
I'm still fighting the fight with Palo and Slack. Someone will give.
Maybe you could trick it... into submission!
Setup a inverse/reverse proxy to hide the slack site from Palo's direct sight.
[this may require using DNS/proxies/NAT/etc. in ways that may reshape the time continuum - LOL]
You can check with openssl version.
Could be connecting to a server (not a CDN) that only has a Let's Encrypt certificates and no others, in which case the default no-SNI certificate would be the one issued by Let's Encrypt.
Could also be remembering things, not as they were, but as they should have been - LOL
That would cut off a giant chunk of the internet's users, with disproportionate effects based on class and geopolitical regions.
The history of the "Long Chain Solution" includes most of the browser, os, and SSL projects coming together to loosen restrictions and coalesce around making the "short circuit" chain validation logic the standard default. A lot of key players in the greater internet industry came together for this solution. It is unfortunate that Palo Alto decided not to join everyone else.
IMHO, Palo Alto makes subpar products without much thought or foresight. They are notorious in this forum (as some comments above indicate) for randomly implementing rules that block authentication without adequately notifying their customers, if at all.
Will those users be perpetually permitted to use the expired / unsafe cert? Or were they just given extra time before they will actually be cut off in 2024?
It's not unsafe.
Apologies if I mis-spoke. Why do root certs expire?
I'm not sure why they expire to begin with, although Android is one of the few ecosystems out there not enforcing the expiry of a trust anchor.
Fun fact: OpenSSL doesn't even check the signature of a root certificate! The trust anchor in a root certificate store is ultimately trusted, even if you modify the certificate. See Working around expired Root Certificates for more info.
All certs [including root certs] must have a start and an end date.
So, eventually that end date will come to pass.
That said, the end date for root certs are not applied like end dates for all other certs; Some operating systems/browsers will ignore the end date for root certs [and some won't].
well, there i a paragraph in rfc5280:
4.1.2.5. Validity
To indicate that a certificate has no well-defined expiration date,
the notAfter SHOULD be assigned the GeneralizedTime value of
99991231235959Z.
which would nomally mean dec 31th midnight in year 9999
but MS have hard limit on Root cert live on their trust store
Newly minted Root CAs must be valid for a minimum of 8 years, and a maximum of 25 years, from the date of submission.
A section of users will have perpetual access.
If the Certificate were ever to be deemed "unsafe", it could be limited in the future through public or private Certificate Revocation programs. The CA's run public CRL servers, but several browsers and operating systems have their own private systems of pushing identifiers of revoked or problematic certs to clients.
The workaround keeps the legacy devices usable, while newer devices just short-circuit their pathbuilding logic and interpret the long-chain as the short-chain.
Slack emailed customers last week telling them they need to have X1 Root by May 9. This suggests (to me) that they had too many client systems that cannot handle the long-chain, and they've chosen to leave behind the EOL/EOS client devices? There's a convo about it here:
I don't think this is related at all. Regarding Slack, according to crt.sh, they have a history of using DigiCert certificates on slack-edge.com. They now intend to use Let's Encrypt certificates.
On a.slack-edge.com, you can still find a DigiCert certificate, while on b.slack-edge.com, there's currently the Let's Encrypt long chain deployed. That's presumably what they're going to roll out everwhere.
(Also previously noted here Email from Slack regarding ISRG Root X1 - #3 by mcpherrinm)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.