It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.
The roots are:
Staat der Nederlanden Root CA
(successfully exempted)
Staat der Nederlanden Root CA - G2
(accidentally included)
The line of code is this one:
if (!strcmp(node->cert->issuerName,
"CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...
It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.
The roots are:
Staat der Nederlanden Root CA
(successfully exempted)
Staat der Nederlanden Root CA - G2
(accidentally included)
The line of code is this one:
if (!strcmp( node->cert- >issuerName,
"CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...
This check needs to include both the names above.
Test site: /sha2.diginotar .nl/
https:/
Gerv