Review impact of let's encrypt CA change

[yschimke]

Effective: As of January 11, 2021

https://letsencrypt.org/2020/11/06/own-two-feet.html

However, this does introduce some compatibility woes. Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.

Potentially we could promote adoption of Conscrypt for older clients and confirm they are shipping updated CA certs outside of the App?

[yschimke]

Asked on https://community.letsencrypt.org/t/mobile-client-workarounds-for-isrg-issue/137807

[yschimke]

test server https://valid-isrgrootx1.letsencrypt.org

[swankjesse]

We should also check that our cert pinning code does something reasonable for cross-signed certs. I suspect that might be a common mitigation?

[yschimke]

My current suggestion is a stackoverflow Question and self answer with sample code like the following (with correct certificate of course)

  val cert: X509Certificate = """
   -----BEGIN CERTIFICATE-----
   MIIBFzCBwgIJAIVAqagcVN7/MA0GCSqGSIb3DQEBBAUAMBMxETAPBgNVBAMMCGNh
   c2guYXBwMB4XDTE5MDkwNzAyMjg0NFoXDTE5MDkwODAyMjg0NFowEzERMA8GA1UE
   AwwIY2FzaC5hcHAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA8qAeoubm4mBTD9/J
   ujLQkfk/fuJt/T5pVQ1vUEqxfcMw0zYgszQ5C2MiIl7M6JkTRKU01q9hVFCR83wX
   zIdrLQIDAQABMA0GCSqGSIb3DQEBBAUAA0EAO1UpwhrkW3Ho1nZK/taoUQOoqz/n
   HFVMtyEkm5gBDgz8nJXwb3zbegclQyH+kVou02S8zC5WWzEtd0R8S0LsTA==
   -----END CERTIFICATE----- 
  """.trimIndent().parsePemCertificate().toX509Certificate()

  val handshakeCertificates = HandshakeCertificates.Builder()
      .addPlatformTrustedCertificates()
      .addTrustedCertificate(cert)
      .build()

  val client = OkHttpClient.Builder()
      .sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager)
      .build()

[swankjesse]

I like that!

[swankjesse]

Should we post this in our changelog? Or on our website?

[yschimke]

Should we post this in our changelog? Or on our website?

I'm working on a confirmed fix now. Then yes, but stackoverflow is the right forum for the canonical answer.

[yschimke]

The fix works, but is complicated by Junit5 requirements on Android...

[yschimke]

Closing this out. Think the two test cases and stackoverflow + forum post are better than the samples.