Date: Fri, 1 Oct 2021 10:31:06 -0400 From: mike tancsa <mike@sentex.net> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: openssl patch for RELENG_11 to work around Lets Encrypt work around Message-ID: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net>
index | next in thread | raw e-mail
I was hoping people with expertise on this issue could chime in about the implications of running with this patch on FreeBSD 11 which I know is now out of support. This patch is inspired from https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig with caveats from https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ --- crypto/openssl/crypto/x509/x509_vpm.c.prev 2021-10-01 09:16:51.753533000 -0400 +++ crypto/openssl/crypto/x509/x509_vpm.c 2021-10-01 09:19:39.708106000 -0400 @@ -537,7 +537,7 @@ "default", /* X509 default parameters */ 0, /* Check time */ 0, /* internal flags */ - 0, /* flags */ + X509_V_FLAG_TRUSTED_FIRST, /* flags */ 0, /* purpose */ 0, /* trust */ 100, /* depth */ Am I opening myself up to more issues by doing this ? This is however the default on RELENG_12 and above. ---Mikehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?626bd0ad-e0b9-1f98-9505-663d655fa73d>