On 2026-06-17 at 17:46:09 UTC-0400 (Thu, 18 Jun 2026 07:46:09 +1000)
Viktor Dukhovni via mailop <[email protected]>
is rumored to have said:

> On Wed, Jun 17, 2026 at 10:00:42AM +0200, Dan Malm via mailop wrote:
>
>> At around 06:00 UTC this morning deliveries to hotmail/outlook and some
>> other microsoft hosted domains started failing with certificate errors...
>> Openssl shows me this on multiple different machines in multiple locations
>> (:
>>
>> ❯ echo QUIT | openssl s_client -quiet -starttls smtp -connect
>> hotmail-com.olc.protection.outlook.com:25
>> Connecting to 52.101.9.25
>> depth=1 C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
>> CN=mail.protection.outlook.com
>> verify return:1
>
> Specifying an appropriate CAfile is sometimes necessary.

Yes.

The cert.pem from curl-ca-bundle v8.20.0, dated 2026-06-08 does NOT have a 
"DigiCert Global Root CA" certificate.

The cert.pem from ca_root_nss v3.124 on FreeBSD 14.4-p6, dated 2026-05-23 does 
NOT have a "DigiCert Global Root CA" certificate.

The cert.pem from base on FreeBSD 8 claims to be extracted from nss-3.20 and it 
DOES HAVE a "DigiCert Global Root CA" certificate.

The cert.pem in both macOS Tahoe & Sequoia is labeled "$OpenBSD: cert.pem,v 
1.22.2.1 2021/09/30" and it DOES HAVE a "DigiCert Global Root CA"

I deduce from this set of facts that DigiCert is withdrawing this intermediate 
but Microsoft didn't get the memo.



> I get:
>
>     $ posttls-finger -c -Lsummary,certmatch -F /etc/pki/tls/cert.pem 
> "[hotmail-com.olc.protection.outlook.com]"
>     posttls-finger: hotmail-com.olc.protection.outlook.com[52.101.41.59]:25: 
> matched peername: *.olc.protection.outlook.com
>     posttls-finger: hotmail-com.olc.protection.outlook.com[52.101.41.59]:25: 
> subject_CN=mail.protection.outlook.com, issuer=DigiCert Cloud Services CA-1, 
> cert 
> fingerprint=64:92:B2:B9:D2:0E:70:70:A1:F1:8A:59:B9:1D:17:29:C2:83:C1:98:CE:18:B7:61:0D:76:31:D6:5E:81:6F:5B,
>  pkey 
> fingerprint=C4:95:D9:E4:0F:7E:62:5B:E2:2F:83:CC:64:30:51:82:AB:0F:E7:42:32:DE:30:DB:8B:21:8D:09:65:0C:B0:EA
>     posttls-finger: Verified TLS connection established to 
> hotmail-com.olc.protection.outlook.com[52.101.41.59]:25: TLSv1.3 with cipher 
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange secp384r1 server-signature 
> RSA-PSS (2048 bits) server-digest SHA256
>
> The chain sent is:
>
>     $ posttls-finger -cC -Lsummary,certmatch -F /etc/pki/tls/cert.pem 
> "[hotmail-com.olc.protection.outlook.com]" |
>       openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
>       openssl pkcs7 -print_certs -noout
>     subject=C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
> CN=mail.protection.outlook.com
>     issuer=C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
>
>     subject=C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
>     issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root 
> CA
>
> With s_client:
>
>     $ openssl s_client -CAfile /etc/pki/tls/cert.pem -starttls smtp \
>         -connect hotmail-com.olc.protection.outlook.com:25 \
>         -brief
>     Connecting to 52.101.41.1
>     CONNECTION ESTABLISHED
>     Protocol version: TLSv1.3
>     Ciphersuite: TLS_AES_256_GCM_SHA384
>     Requested Signature Algorithms: 
> RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:UNDEF:ECDSA+SHA256:ECDSA+SHA384:UNDEF:UNDEF:RSA+SHA512:ECDSA+SHA512
>     Peer certificate: C=US, ST=Washington, L=Redmond, O=Microsoft 
> Corporation, CN=mail.protection.outlook.com
>     Hash used: SHA256
>     Signature type: rsa_pss_rsae_sha256
>     Verification: OK
>     Peer Temp Key: ECDH, secp384r1, 384 bits
>     250 SMTPUTF8
>     DONE
>
> -- 
>     Viktor.  🇺🇦 Слава Україні!
> _______________________________________________
> mailop mailing list
> [email protected]
> https://list.mailop.org/listinfo/mailop


-- 
 Bill Cole
 [email protected] or [email protected]
 (AKA @[email protected] and many *@billmail.scconsult.com addresses)
 Please keep discussion mailing list replies *on-list*
 Not Currently Available For Hire
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to