diff options
author | Guilhem Moulin <guilhem@debian.org> | 2024-06-15 21:24:54 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@debian.org> | 2024-06-16 00:10:26 +0200 |
commit | c750e5b8a31ed5267150167ac68b5a5f89fc488b (patch) | |
tree | 94bb8b32e179addc8892984c52150f8911f0b50a | |
parent | db39468162d7631abe75bd2cfbde92c69a3520cd (diff) |
Pointed by Jonathan Wiltshire at https://bugs.debian.org/1073174#12 .
Thanks!
-rw-r--r-- | debian/changelog | 13 | ||||
-rw-r--r-- | debian/patches/Fix-post-issuance-validation-logic.patch | 2 |
2 files changed, 8 insertions, 7 deletions
diff --git a/debian/changelog b/debian/changelog index 9a0e819..febb402 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,12 @@ lacme (0.8.2-1+deb12u1) bookworm; urgency=medium - * Backport upstream patches to fix post-issuance validation logic. - We avoid pining the intermediate certificates in the bundle and instead - validate the leaf certificate with intermediates supplied during issuance - as untrusted (used for chain building only). Only the root certificates - are used as trust anchor. Not pining intermediate certificates is in line - with Let's Encrypt's latest recommendations. + * Backport upstream patches to fix post-issuance validation logic. We avoid + pinning the intermediate certificates in the bundle and instead validate + the leaf certificate with intermediates supplied during issuance as + untrusted (used for chain building only). Only the root certificates are + used as trust anchor. + Not pinning intermediate certificates is in line with Let's Encrypt's + latest recommendations. Closes: #1072847 * Adjust test suite against current Let's Encrypt staging environment. * d/gbp.conf: Set 'debian-branch = debian/bookworm'. diff --git a/debian/patches/Fix-post-issuance-validation-logic.patch b/debian/patches/Fix-post-issuance-validation-logic.patch index 1453055..6296928 100644 --- a/debian/patches/Fix-post-issuance-validation-logic.patch +++ b/debian/patches/Fix-post-issuance-validation-logic.patch @@ -7,7 +7,7 @@ validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. -Not pining intermediate certificates anymore is in line with Let's +Not pinning intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the |