BjarniRunar
commented
4 years ago Also: As long as we are embedding CA root certs, we should maybe also teach PageKite to stop trying to validate things once those have expired. Yes, an un-updated, 10-year-old pagekite.py may be quite problematic. But that's likely to only happen in an embedded solution and auto-bricking people's devices is very impolite.
This needs more thought.
We just suffered one of our largest outages ever, because pagekite.py bundles CA Root Certificates instead of relying on those provided by the operating system, and a cert we relied upon expired.
Details here: https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/
This issue will probably never be closed, unless I automate my build systems so they always pull in up-to-date certs. Otherwise this is a standing reminder to myself to not let this happen again.
(Note, this will be resolved differently on Debian, and we may adopt their solution for our own packages. However, this will remain an issue for the single-file
pagekite.py.)