Updated (7/10/20) AddTrust Root CA Expiration Fix:
Arreya’s development team released an update in early July that resolves the certificate error on some older platforms that were missing the newer root CAs. If your screens are still displaying a certificate error, please reach out to our support team at firstname.lastname@example.org and we’ll be glad to help get your issues sorted.
One of the largest SSL certificate providers and certificate authorities, Sectigo, controls multiple SSL root certificate authorities (CA) that issue intermediate and end entity certificates, that make the web safe, and functional the way we know it today. On May 30th, 2020 the AddTrust Root CA controlled by Sectigo expired causing some media players, SOCs and computers to fail when loading a number of websites, including their Arreya channels. There were two main issues that compounded and caused security issues on the majority of affected platforms. Both issues are due to the fact that they haven’t received software updates for an extended period of time.
The first issue that caused the certificate error was the lack of security updates that typically should include new root CAs. Devices that have updated root CAs after mid 2015 should not exhibit the issue since the new CAs are valid until 2038. Certificates issued through Sectigo are cross signed between the legacy and modern root CAs, so the transition between the old CA and new CA should be seamless. One solution to this issue is to remove old and manually add the new root CAs on the device, which can vary greatly in difficulty depending on the platform.
The second issue that caused the error was a bug in the open source software library OpenSSL that is used to securely transmit information over the internet. OpenSSL is a library that implements the TLS/SSL protocol, and uses SSL certificates to verify the end entity is who it says it is. A bug in older versions of OpenSSL, before around version 1.1.1, had issues verifying the certificate chain with the AddTrust certificate and newer UserTrust and Comodo RSA CAs. This issue is not as easy to resolve correctly, as it requires updating OpenSSL which typically is compiled in the operating system or device firmware.
Many manufacturers are leaning on software providers to fix the issue on the server issue. Server admins can typically fix the issue by deleting the expired AddTrust certificate, and the client won’t run into the OpenSSL bug preventing the alternate UserTrust/Comodo certificate from being verified.
Although this issue can be resolved server side fairly quickly, it exposes a bigger underlying issue. Some of the affected platforms lack regular security updates that would have prevented the issue from occuring in the first place. Certificates expire and rotate constantly, and this is just one instance of the issue occurring. If software libraries aren’t being regularly updated, it’s expected that the same issue will happen again in the future, with other root and intermediate Certificate Authorities.
One of the key aspects to successful digital signage is modern hardware that receives frequent security updates, a major reason we recommend using Chrome devices. Fortunately this issue did not affect the majority of Arreya clients, however if you are experiencing a security error displaying on your screen, please reach out to our support team https://arreya.com/support/