From 03433aad49169183b9619626ecc42b18eb5b4411 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Thu, 12 Jun 2025 22:29:44 +0530 Subject: [PATCH] fix(mbedtls): re-include Starfield Class 2 CA Some of the endpoints (e.g., httpbin.org) is still relying on the Starfield Class 2 CA in the chain. Added this root certificate as a temporary exception and shall be removed in future. --- .../mbedtls/esp_crt_bundle/cacrt_local.pem | 29 +++++++++++++++++++ .../esp_crt_bundle/cmn_crt_authorities.csv | 1 + 2 files changed, 30 insertions(+) diff --git a/components/mbedtls/esp_crt_bundle/cacrt_local.pem b/components/mbedtls/esp_crt_bundle/cacrt_local.pem index 5c5afaf293..34f9d73290 100644 --- a/components/mbedtls/esp_crt_bundle/cacrt_local.pem +++ b/components/mbedtls/esp_crt_bundle/cacrt_local.pem @@ -2,3 +2,32 @@ ## Local CA Root Certificates ## ## Local CA Root Certificates that gets appended to "cacrt_all.pem" +## +## Starfield Class 2 CA has been removed from the list of trusted CAs +## from Mozilla's CA Certificate Store. However, it is still used in +## some endpoints and hence it is included here. This shall be removed +## once the relevant endpoints are updated to use a different CA. + +Starfield Class 2 CA +==================== +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzElMCMGA1UEChMc +U3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZpZWxkIENsYXNzIDIg +Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBo +MQswCQYDVQQGEwJVUzElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAG +A1UECxMpU3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqG +SIb3DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf8MOh2tTY +bitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN+lq2cwQlZut3f+dZxkqZ +JRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVm +epsZGD3/cVE8MC5fvj13c7JdBmzDI1aaK4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSN +F4Azbl5KXZnJHoe0nRrA1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HF +MIHCMB0GA1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fRzt0f +hvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNo +bm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENlcnRpZmljYXRpb24g +QXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGs +afPzWdqbAYcaT1epoXkJKtv3L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLM +PUxA2IGvd56Deruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl +xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynpVSJYACPq4xJD +KVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEYWQPJIrSPnNVeKtelttQKbfi3 +QBFGmh95DmK/D5fs4C8fF5Q= +-----END CERTIFICATE----- diff --git a/components/mbedtls/esp_crt_bundle/cmn_crt_authorities.csv b/components/mbedtls/esp_crt_bundle/cmn_crt_authorities.csv index 29cdfa5110..3f74fbbc40 100644 --- a/components/mbedtls/esp_crt_bundle/cmn_crt_authorities.csv +++ b/components/mbedtls/esp_crt_bundle/cmn_crt_authorities.csv @@ -20,6 +20,7 @@ GlobalSign nv-sa,GlobalSign Root CA - R3 GlobalSign nv-sa,GlobalSign Root E46 GlobalSign nv-sa,GlobalSign Root R46 GoDaddy,Go Daddy Root Certificate Authority - G2 +GoDaddy,Starfield Class 2 CA GoDaddy,Starfield Root Certificate Authority - G2 Google Trust Services LLC,GlobalSign ECC Root CA - R4 Google Trust Services LLC,GTS Root R1