On 2026-06-17 at 17:46:09 UTC-0400 (Thu, 18 Jun 2026 07:46:09 +1000) Viktor Dukhovni via mailop <[email protected]> is rumored to have said:
> On Wed, Jun 17, 2026 at 10:00:42AM +0200, Dan Malm via mailop wrote: > >> At around 06:00 UTC this morning deliveries to hotmail/outlook and some >> other microsoft hosted domains started failing with certificate errors... >> Openssl shows me this on multiple different machines in multiple locations >> (: >> >> ❯ echo QUIT | openssl s_client -quiet -starttls smtp -connect >> hotmail-com.olc.protection.outlook.com:25 >> Connecting to 52.101.9.25 >> depth=1 C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> depth=0 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, >> CN=mail.protection.outlook.com >> verify return:1 > > Specifying an appropriate CAfile is sometimes necessary. Yes. The cert.pem from curl-ca-bundle v8.20.0, dated 2026-06-08 does NOT have a "DigiCert Global Root CA" certificate. The cert.pem from ca_root_nss v3.124 on FreeBSD 14.4-p6, dated 2026-05-23 does NOT have a "DigiCert Global Root CA" certificate. The cert.pem from base on FreeBSD 8 claims to be extracted from nss-3.20 and it DOES HAVE a "DigiCert Global Root CA" certificate. The cert.pem in both macOS Tahoe & Sequoia is labeled "$OpenBSD: cert.pem,v 1.22.2.1 2021/09/30" and it DOES HAVE a "DigiCert Global Root CA" I deduce from this set of facts that DigiCert is withdrawing this intermediate but Microsoft didn't get the memo. > I get: > > $ posttls-finger -c -Lsummary,certmatch -F /etc/pki/tls/cert.pem > "[hotmail-com.olc.protection.outlook.com]" > posttls-finger: hotmail-com.olc.protection.outlook.com[52.101.41.59]:25: > matched peername: *.olc.protection.outlook.com > posttls-finger: hotmail-com.olc.protection.outlook.com[52.101.41.59]:25: > subject_CN=mail.protection.outlook.com, issuer=DigiCert Cloud Services CA-1, > cert > fingerprint=64:92:B2:B9:D2:0E:70:70:A1:F1:8A:59:B9:1D:17:29:C2:83:C1:98:CE:18:B7:61:0D:76:31:D6:5E:81:6F:5B, > pkey > fingerprint=C4:95:D9:E4:0F:7E:62:5B:E2:2F:83:CC:64:30:51:82:AB:0F:E7:42:32:DE:30:DB:8B:21:8D:09:65:0C:B0:EA > posttls-finger: Verified TLS connection established to > hotmail-com.olc.protection.outlook.com[52.101.41.59]:25: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange secp384r1 server-signature > RSA-PSS (2048 bits) server-digest SHA256 > > The chain sent is: > > $ posttls-finger -cC -Lsummary,certmatch -F /etc/pki/tls/cert.pem > "[hotmail-com.olc.protection.outlook.com]" | > openssl crl2pkcs7 -nocrl -certfile /dev/stdin | > openssl pkcs7 -print_certs -noout > subject=C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, > CN=mail.protection.outlook.com > issuer=C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 > > subject=C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1 > issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root > CA > > With s_client: > > $ openssl s_client -CAfile /etc/pki/tls/cert.pem -starttls smtp \ > -connect hotmail-com.olc.protection.outlook.com:25 \ > -brief > Connecting to 52.101.41.1 > CONNECTION ESTABLISHED > Protocol version: TLSv1.3 > Ciphersuite: TLS_AES_256_GCM_SHA384 > Requested Signature Algorithms: > RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:UNDEF:ECDSA+SHA256:ECDSA+SHA384:UNDEF:UNDEF:RSA+SHA512:ECDSA+SHA512 > Peer certificate: C=US, ST=Washington, L=Redmond, O=Microsoft > Corporation, CN=mail.protection.outlook.com > Hash used: SHA256 > Signature type: rsa_pss_rsae_sha256 > Verification: OK > Peer Temp Key: ECDH, secp384r1, 384 bits > 250 SMTPUTF8 > DONE > > -- > Viktor. 🇺🇦 Слава Україні! > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop -- Bill Cole [email protected] or [email protected] (AKA @[email protected] and many *@billmail.scconsult.com addresses) Please keep discussion mailing list replies *on-list* Not Currently Available For Hire _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
