| Time |
Nick |
Message |
| 01:20 |
|
sandbergja joined #evergreen |
| 06:01 |
pinesol |
News from qatests: Testing Success <http://testing.evergreen-ils.org/~live> |
| 08:06 |
|
mantis joined #evergreen |
| 08:06 |
|
dbwells_ joined #evergreen |
| 08:09 |
|
rfrasur joined #evergreen |
| 08:12 |
|
Dyrcona joined #evergreen |
| 08:17 |
|
alynn26 joined #evergreen |
| 08:17 |
|
dbwells joined #evergreen |
| 08:34 |
|
mmorgan joined #evergreen |
| 09:32 |
|
rfrasur joined #evergreen |
| 10:23 |
|
sandbergja joined #evergreen |
| 10:47 |
|
dbwells_ joined #evergreen |
| 11:02 |
|
dbwells joined #evergreen |
| 11:32 |
|
jvwoolf1 joined #evergreen |
| 11:34 |
Dyrcona |
Anyone else had reports of the XUL client not accepting SSL certificates this morning? We've had to have our few XUL users add SSL exceptions. |
| 11:37 |
berick |
Dyrcona: that happened over the weekend here |
| 11:37 |
berick |
thought it might be some local firewall mainteance, but maybe a windows update thing? |
| 11:38 |
Dyrcona |
berick: I see it on Linux, too. I suspect a XULRunner SSL/Date bug. |
| 11:38 |
jeff |
Dyrcona: is one of your certs cross-signed by the AddTrust root cert that expired over the weekend? |
| 11:38 |
Dyrcona |
jeff: I don't know. We have Comodo. |
| 11:39 |
Dyrcona |
I'll see what the cert. itself says. |
| 11:40 |
jeff |
s/one of your certs/one of the certs in your chain/ |
| 11:43 |
jeff |
With Comodo (now Sectigo), it's likely that. |
| 11:44 |
Dyrcona |
Firefox and Chromium are not issuing warnings. |
| 11:44 |
* jeff |
nods |
| 11:44 |
jeff |
see https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 |
| 11:45 |
jeff |
and https://support.comodoca.com/Com_KnowledgeDetailPageSectigo?Id=kA01N000000rgSZ has a bit more in the way of details, but not as much actionable info |
| 11:45 |
jeff |
"If a system or application only trusts the AddTrust External CA root and not the more modern Comodo or USERTrust roots – errors will occur after May 30th, 2020." |
| 11:45 |
berick |
jeff++ |
| 11:45 |
|
sandbergja joined #evergreen |
| 11:48 |
csharp |
yeah, we hit the same issue with our app on older Android version |
| 11:48 |
csharp |
s |
| 11:48 |
jeff |
In addition to the challenge of not having the newer unexpired root cert used to cross-sign, some SSL implementations have a poor "best" logic and will match the expired cert and stop searching. |
| 11:48 |
Dyrcona |
jeff++ |
| 11:48 |
csharp |
jeff++ |
| 11:49 |
mmorgan |
jeff++ |
| 11:49 |
csharp |
this is very clear too https://ohdear.app/blog/resolving-the-addtrust-external-ca-root-certificate-expiration |
| 11:49 |
csharp |
^^actionable details :-) |
| 11:49 |
csharp |
at least as far as removing the expired cert goes |
| 11:52 |
jeff |
Sorry I can't give any more practical advice. I'm aware of the issue, but happily have not had anything broken come to my attention here. :-) |
| 11:54 |
Dyrcona |
csharp: So, it looks like I can remove the AddTrust cert, and it should just work? |
| 12:05 |
|
jihpringle joined #evergreen |
| 12:25 |
csharp |
Dyrcona: worked for me |
| 12:26 |
csharp |
Dyrcona: well, what I mean is, it didn't break anything with modern browsers, etc., fixed the nagios check that was angry |
| 12:26 |
csharp |
not sure if it fixes legacy TLS client access |
| 12:26 |
csharp |
(probably not) |
| 12:26 |
csharp |
still waiting to hear back from kenstir about whether it fixed an android app issue |
| 12:42 |
Dyrcona |
I'm going to test removing the AddTrust cert from the chain and see what happens. I'm told that just adding the SSL exception doesn't always work with XUL. Worked for me on Linux. |
| 12:51 |
|
khuckins joined #evergreen |
| 13:01 |
csharp |
"oh, by the way guys, we'll be migrating fully to the web client today!" |
| 13:03 |
Dyrcona |
:) |
| 13:29 |
rfrasur |
Dyrcona, do you have many libraries still running the XUL client? |
| 13:44 |
Dyrcona |
rfrasur: Too many. Some only use it for certain tasks though because it is still better in their mind for those things. And no, I don't know off the top of my head what those tasks are. |
| 13:44 |
Dyrcona |
And, it doesn't look removing the AddTrust certificate helps with XULRunner. I still have to add an exception. |
| 14:08 |
Dyrcona |
It must be Monday. |
| 14:20 |
mmorgan |
Dyrcona++ # knowing what day it is :) |
| 14:23 |
|
sandbergja joined #evergreen |
| 15:26 |
|
jihpringle joined #evergreen |
| 15:38 |
|
mmorgan left #evergreen |
| 16:31 |
|
mantis left #evergreen |
| 18:00 |
pinesol |
News from qatests: Testing Success <http://testing.evergreen-ils.org/~live> |
| 18:27 |
|
sandbergja joined #evergreen |
| 20:28 |
|
jvwoolf joined #evergreen |
