ISRG Root X1 Certificate on Android versions below 8 #2708
Gedsh
started this conversation in
Potential issues
Replies: 3 comments
-
|
Do actual servers still use that certificate? |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Yes. And quite often. A lot of DOH servers chose Let's Encrypt because it's free. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
If we take InviZIble's default DOH servers ‘ahadns-doh-la’, ‘dnsforge.de’, ‘libredns-noads’, ‘mullvad-base-doh’ - none of them work on android below 8. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Unfortunately, this code doesn't work for Android versions below 8, as Go still checks the chain of trust, while ISRG Root X1 is self-signed.
The only solution is to add tlsClientConfig.InsecureSkipVerify = true, which completely disables certificate chain verification. But this is not acceptable for security reasons.
Also, recently expired ISRG Root X1 certificate, which was cross-signed by IdenTrust's DST Root CA X3. It was a workaround until the first of October. https://letsencrypt.org/2023/07/10/cross-sign-expiration.html
Is there any solution to add an ISRG Root X1 certificate to DNSCrypt and not disable certificate chain verification completely?
Beta Was this translation helpful? Give feedback.
All reactions