ISRG Root X1 Certificate on Android versions below 8 #2708
Gedsh
started this conversation in
Potential issues
Replies: 3 comments
-
|
Do actual servers still use that certificate? |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Yes. And quite often. A lot of DOH servers chose Let's Encrypt because it's free. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
If we take InviZIble's default DOH servers ‘ahadns-doh-la’, ‘dnsforge.de’, ‘libredns-noads’, ‘mullvad-base-doh’ - none of them work on android below 8. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Unfortunately, this code doesn't work for Android versions below 8, as Go still checks the chain of trust, while ISRG Root X1 is self-signed.
The only solution is to add tlsClientConfig.InsecureSkipVerify = true, which completely disables certificate chain verification. But this is not acceptable for security reasons.
Also, recently expired ISRG Root X1 certificate, which was cross-signed by IdenTrust's DST Root CA X3. It was a workaround until the first of October. https://letsencrypt.org/2023/07/10/cross-sign-expiration.html
Is there any solution to add an ISRG Root X1 certificate to DNSCrypt and not disable certificate chain verification completely?
Beta Was this translation helpful? Give feedback.
All reactions