Ssl

Context If you have a root CA which you used to sign certificates, and if the root certificate is about to expire, the certificates signed by the root CA will also become invalid after the root CA expires even if the certificates signed by it haven’t expired. As every certificate in the chain must remain valid for your certificate to be valid. Also for example the kube-apiserver when it comes up, it --client-ca-file while it comes up, where you can pass the root CA. ...

With the root cert expiring for sectigo, the older linux distributions are not properly ignoring the cert. I have seen this affect boxes which ran ubuntu 16.04, but there would be others too. Didn’t notice anything on Debian 10(buster) As people have pointed out around, this is an openssl 1.0.2 bug. So even a system upgrade wouldn’t help the situation wouldn’t help, as this would require an actual distro upgrade. Programs which don’t depend on openssl(like go binaries), won’t get affected by this. Services/client on Ruby/Jruby for example, on the other hand will have problems similar to curl. ...

This was originally published under Gojek’s engineering blog by me, this post is a repost. There’s one thing all devices connected to the Internet have in common — they rely on protocols called SSL/TLS to protect information in transit. SSL/TLS are cryptographic protocols designed to provide secure communication over insecure infrastructure. Any communication over the public internet should be encrypted, for which we need SSL certificates. There are many cases for public communication in GOJEK as well. Some of them are listed below: ...