diff options
author | Guilhem Moulin <guilhem@debian.org> | 2024-06-15 21:24:54 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@debian.org> | 2024-06-15 21:27:41 +0200 |
commit | 6362716a94ef687e2d1f5bf662a3329866346675 (patch) | |
tree | 25a195d7ecb58259944aefa5f61e2df9817b52be /debian | |
parent | 6a6146c9f860c9efa8729931c6e439b71b81039e (diff) |
Pointed by Jonathan Wiltshire at https://bugs.debian.org/1073174#12 .
Thanks!
Diffstat (limited to 'debian')
-rw-r--r-- | debian/changelog | 13 | ||||
-rw-r--r-- | debian/patches/Fix-post-issuance-validation-logic.patch | 2 |
2 files changed, 8 insertions, 7 deletions
diff --git a/debian/changelog b/debian/changelog index 382a8ed..8a26ff6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,12 @@ lacme (0.8.0-2+deb11u2) bullseye; urgency=medium - * Backport upstream patches to fix fix post-issuance validation logic. - We avoid pining the intermediate certificates in the bundle and instead - validate the leaf certificate with intermediates supplied during issuance - as untrusted (used for chain building only). Only the root certificates - are used as trust anchor. Not pining intermediate certificates is in line - with Let's Encrypt's latest recommendations. + * Backport upstream patches to fix post-issuance validation logic. We avoid + pinning the intermediate certificates in the bundle and instead validate + the leaf certificate with intermediates supplied during issuance as + untrusted (used for chain building only). Only the root certificates are + used as trust anchor. + Not pinning intermediate certificates is in line with Let's Encrypt's + latest recommendations. Closes: #1072847 * Adjust test suite against current Let's Encrypt staging environment. diff --git a/debian/patches/Fix-post-issuance-validation-logic.patch b/debian/patches/Fix-post-issuance-validation-logic.patch index 61f8da3..bbd9f02 100644 --- a/debian/patches/Fix-post-issuance-validation-logic.patch +++ b/debian/patches/Fix-post-issuance-validation-logic.patch @@ -7,7 +7,7 @@ validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. -Not pining intermediate certificates anymore is in line with Let's +Not pinning intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the |