IDA: Lumina certificate expiration on October 10, 2019
Intended audience
All users of IDA 7.4 that rely on the Lumina service.
The problem: certificate expiration date on Oct 10th, 2019
IDA 7.4 has a relatively simple method for checking the server certificate
that it receives when connecting to the
lumina.hex-rays.com
host.
That method was fine as a first shot, but we are now fast approaching
the date of October 10th, 2019, which will invalidate the
one-year-validity period of the certificate that IDA relies on.
Does that mean IDA won’t be able to connect to lumina.hex-rays.com?
Yes, it means just that: IDA will receive the certificate from the
lumina.hex-rays.com
server, but even before being able to perform
its own checks, the basic validation performed by the lower-level
(e.g.,
libssl
) will fail due to the certificate having expired.
Is there a workaround?
Yes. We knew this day would happen since the beginning, and until we
implement a more traditional certificate chain validation (à la web
browser), we have left open the possibility to provide an additional
certificate to IDA, in the form a
path/to/ida-install/hexrays.crt
file.
How to act?
On October 10th, 2019, if you ever notice that IDA fails to contact
the
lumina.hex-rays.com
host, please:
- download hexrays.crt (shasum:
7e47e7e22dc833c72ee015d4d4e063171f639cfb
)
- place it either:
- next to IDA, in IDA’s installation dir, or
- in
%APPDATA%\Hex-Rays\IDA Pro
(on Windows), or ~/.idapro
(on Linux & OSX)
and you should be good to go.
In the future
In IDA 7.5, we implemented a proper certification chain mechanism (similar
to what browsers do), so this workaround is
not necessary for it or later versions.