<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
More info:<br>
<br>
All my browsers already have a builtin ISRG X1 certificate signed by
ISRG only, that's the new version:<br>
<br>
<a class="moz-txt-link-freetext" href="https://crt.sh/?id=9314791">https://crt.sh/?id=9314791</a><br>
<br>
My server still sends the ISRG X1 certificate cross signed / issued
by DST Root CA X3. That's the chain it got from Let's Encrypt (via
certbot) on the last renewal (last month!):<br>
<br>
<a class="moz-txt-link-freetext" href="https://crt.sh/?id=3958242236">https://crt.sh/?id=3958242236</a><br>
<br>
Without the DST root cert, WolfSSL then fails validating the DST
signed X1 root certificate (I assume):
<a class="moz-txt-link-freetext" href="https://www.wolfssl.com/docs/wolfssl-manual/ch7/">https://www.wolfssl.com/docs/wolfssl-manual/ch7/</a><br>
<br>
My servers will continue sending that chain including the outdated
root cert probably until the next renewal, so it's possible having
added the new X1 root certificate didn't solve the issue.<br>
<br>
The browsers seem to know how to substitute the DST signed
certificate by the builtin self-signed (?). Is there a similar
option in WolfSSL, and do we need to enable that?<br>
<br>
Steve, can you confirm this, do you know a solution?<br>
<br>
Regards,<br>
Michael<br>
<br>
<br>
<div class="moz-cite-prefix">Am 28.09.21 um 15:34 schrieb Michael
Balzer:<br>
</div>
<blockquote type="cite"
cite="mid:2148fa6f-aaf0-a62a-3393-25c890ee2fe1@expeedo.de">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
I've tried adding the intermediate cert ("R3") and then also my
site certificate, that didn't help.<br>
<br>
Only adding the DST cert again fixes the connection.<br>
<br>
Any ideas?<br>
<br>
<br>
<font face="monospace">OVMS# tls trust list<br>
…<br>
ISRG Root X1 length 1939 bytes<br>
1939 byte certificate: ISRG Root X1<br>
cert. version : 3<br>
serial number :
82:10:CF:B0:D2:40:E3:59:44:63:E0:BB:63:82:8B:00<br>
issuer name : C=US, O=Internet Security Research Group,
CN=ISRG Root X1<br>
subject name : C=US, O=Internet Security Research Group,
CN=ISRG Root X1<br>
issued on : 2015-06-04 11:04:38<br>
expires on : 2035-06-04 11:04:38<br>
signed using : RSA with SHA-256<br>
RSA key size : 4096 bits<br>
basic constraints : CA=true<br>
key usage : Key Cert Sign, CRL Sign<br>
…<br>
dexter length 1972 bytes<br>
1972 byte certificate: dexter<br>
cert. version : 3<br>
serial number :
04:55:1D:F4:27:A3:7D:E9:E4:A8:5C:37:F6:A1:61:87:3C:E5<br>
issuer name : C=US, O=Let's Encrypt, CN=R3<br>
subject name : CN=dexter.shopdriver.de<br>
issued on : 2021-08-07 05:47:57<br>
expires on : 2021-11-05 05:47:55<br>
signed using : RSA with SHA-256<br>
RSA key size : 2048 bits<br>
basic constraints : CA=false<br>
subject alt name : dexter.shopdriver.de, dexters-web.de,
ovms.dexters-web.de, <a class="moz-txt-link-abbreviated"
href="http://www.dexter.shopdriver.de" moz-do-not-send="true">www.dexter.shopdriver.de</a>,
<a class="moz-txt-link-abbreviated"
href="http://www.dexters-web.de" moz-do-not-send="true">www.dexters-web.de</a><br>
key usage : Digital Signature, Key Encipherment<br>
ext key usage : TLS Web Server Authentication, TLS Web
Client Authentication<br>
…<br>
r3 length 1826 bytes<br>
1826 byte certificate: r3<br>
cert. version : 3<br>
serial number :
91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A<br>
issuer name : C=US, O=Internet Security Research Group,
CN=ISRG Root X1<br>
subject name : C=US, O=Let's Encrypt, CN=R3<br>
issued on : 2020-09-04 00:00:00<br>
expires on : 2025-09-15 16:00:00<br>
signed using : RSA with SHA-256<br>
RSA key size : 2048 bits<br>
basic constraints : CA=true, max_pathlen=0<br>
key usage : Digital Signature, Key Cert Sign, CRL Sign<br>
ext key usage : TLS Web Client Authentication, TLS Web
Server Authentication<br>
</font><br>
<br>
<br>
<div class="moz-cite-prefix">Am 28.09.21 um 15:07 schrieb Michael
Balzer:<br>
</div>
<blockquote type="cite"
cite="mid:2de8041f-aa24-c8bb-b185-709993b0bb10@expeedo.de">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
We would need to bypass / shortcut the "eap" test phase.<br>
<br>
But I agree, "master" is stable, I haven't had any issues or
reports, so I think we could do that. The FreeRTOS timer issue
I'm working on only affects very specific conditions, so not
necessary to wait for that.<br>
<br>
Should we remove the expiring DST certificate in that release
then?<br>
<br>
…uh oh: just tried removing the DST certificate: the module
cannot connect to my server anymore…!?<br>
<br>
<font face="monospace">I (490213) ovms-server-v2: Connection is
ovms.dexters-web.de:6870 TEST1<br>
I (490213) ovms-server-v2: Status: Connecting...<br>
V (490723) ovms-server-v2:
OvmsServerV2MongooseCallback(MG_EV_CONNECT=-3)<br>
W (490723) ovms-server-v2: Connection failed<br>
E (490723) ovms-server-v2: Status: Error: Connection failed<br>
V (490723) ovms-server-v2:
OvmsServerV2MongooseCallback(MG_EV_CLOSE)<br>
I (490723) ovms-server-v2: Status: Disconnected</font><br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">Am 28.09.21 um 14:32 schrieb Mark
Webb-Johnson:<br>
</div>
<blockquote type="cite"
cite="mid:D612B1E5-EA64-4CC1-89DD-66EAE385A654@webb-johnson.net">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="ltr">Shall we release a full update? The last 3.2?</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">What we have now in master seems stable.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Mark</div>
<div dir="ltr"><br>
<blockquote type="cite">On 28 Sep 2021, at 5:39 PM, Michael
Balzer <a class="moz-txt-link-rfc2396E"
href="mailto:dexter@expeedo.de" moz-do-not-send="true"><dexter@expeedo.de></a>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
Everyone,<br>
<br>
the DST root certificate we include (DST Root CA X3)
expires on September 30, i.e. in two days.<br>
<br>
<font face="monospace">OVMS# tls trust list <br>
DST Root CA X3 length 1200 bytes<br>
1200 byte certificate: DST Root CA X3<br>
cert. version : 3<br>
serial number :
44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B<br>
issuer name : O=Digital Signature Trust Co.,
CN=DST Root CA X3<br>
subject name : O=Digital Signature Trust Co.,
CN=DST Root CA X3<br>
issued on : 2000-09-30 21:12:19<br>
<b> expires on : 2021-09-30 14:01:15</b><br>
signed using : RSA with SHA1<br>
RSA key size : 2048 bits<br>
basic constraints : CA=true<br>
key usage : Key Cert Sign, CRL Sign</font><br>
<br>
AFAICT, this root certificate is currently used by the
OVMS to validate Let's Encrypt certificates.<br>
<ul>
<li><a class="moz-txt-link-freetext"
href="https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/"
moz-do-not-send="true">https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/</a></li>
<li><a class="moz-txt-link-freetext"
href="https://letsencrypt.org/docs/certificate-compatibility/"
moz-do-not-send="true">https://letsencrypt.org/docs/certificate-compatibility/</a><br>
</li>
</ul>
Unfortunately, we missed adding the followup LE root
certificate "ISRG Root X1" in time.<br>
<br>
I've just added that certificate to our builtin
certificate repository, but it's too late now to roll out
a "main" update in time (isn't it?).<br>
<br>
So, to prevent losing TLS connectivity with LE servers,
users need to manually add the ISRG Root X1 certificate to
their TLS repositories.<br>
<br>
I've added a section on this to our user manual:<br>
<ul>
<li><a class="moz-txt-link-freetext"
href="https://docs.openvehicles.com/en/latest/userguide/ssltls.html"
moz-do-not-send="true">https://docs.openvehicles.com/en/latest/userguide/ssltls.html</a></li>
</ul>
If users contact you, point them to that page.<br>
<br>
We probably should also remove the expired DST root
certificate after September 30.<br>
<br>
Regards,<br>
Michael<br>
<br>
<pre class="moz-signature" cols="72">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26</pre>
<span>_______________________________________________</span><br>
<span>OvmsDev mailing list</span><br>
<span><a class="moz-txt-link-abbreviated"
href="mailto:OvmsDev@lists.openvehicles.com"
moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a></span><br>
<span><a class="moz-txt-link-freetext"
href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev"
moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></span><br>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26</pre>
</body>
</html>