In that case they would have been probably quick with a statement that there is no problem in their product, but blaming the customers for running unsupported versions.
But it's not unreasonable that the certificate-in-question is indeed a root CA: all machines (not just this specific Verifone model) will error-out on an expired end-entity certificates and the same can be said to intermediates (assuming that they don't issue directly from root). I've checked the original post where they're talking about this and it mentioned a server certificate so unless that machine choked on ECC certificates (possible but considering that no-one in the banking industry has encountered it as the error and the solution is a firmware upgrade, not that the server must back out of ECC deployment or apply dual ECC/RSA capabilities), speculating that this is something that other than root certificates doesn't align out with reality.
Sounds very much like history repeating [1]. They still cannot provide a stable fix and claim that it is not a certificate problem in their communication to users. This is somehow unlikely as this would also explain why remote updates won't work. Wonder what the lessons learned can be (if this is true): always have two update sites with a different cert path? Is this something that is a standardized best practice?
After the "G1" root certificate is removed, users in environments that have not transitioned to the "G2" root certificate may experience issues that affect the following scenarios:
TLS or SSL connections.
Client authentication, including establishing VPN connections.
Smart card or PIV authenticated access, including badge access that relies completely on Windows software.
10 comments
[ 2.7 ms ] story [ 23.0 ms ] threadThey forgot to install a renewed one to their trust base? Just guessing.
Even if it's no longer sold, they advertise it as their most-sold model with 350,000 installations.
Wait, what root certificate expired today or yesterday? It seems not covered by Mozilla or Microsoft though, so perhaps a custom CA?
[1] https://desormaismgt.com/may-2019-verifone-vx520-certificate...
and this might be the reason. . or am i wrong?
https://docs.microsoft.com/en-us/troubleshoot/windows-server...
>> Potential issues:
After the "G1" root certificate is removed, users in environments that have not transitioned to the "G2" root certificate may experience issues that affect the following scenarios:
TLS or SSL connections.
Client authentication, including establishing VPN connections.
Smart card or PIV authenticated access, including badge access that relies completely on Windows software.