From owner-freebsd-security@freebsd.org Fri Oct 1 14:31:07 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B1FB26B0633 for ; Fri, 1 Oct 2021 14:31:07 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HLXbZ5CRqz4W3t for ; Fri, 1 Oct 2021 14:31:06 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 191EV5jv011654 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 1 Oct 2021 10:31:06 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 191EV5go046051 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 1 Oct 2021 10:31:05 -0400 (EDT) (envelope-from mike@sentex.net) To: "freebsd-security@freebsd.org" From: mike tancsa Subject: openssl patch for RELENG_11 to work around Lets Encrypt work around Message-ID: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net> Date: Fri, 1 Oct 2021 10:31:06 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Content-Language: en-US X-Rspamd-Queue-Id: 4HLXbZ5CRqz4W3t X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-2.56 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-0.82)[-0.822]; NEURAL_HAM_SHORT(-0.54)[-0.542]; MIME_BASE64_TEXT(0.10)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2021 14:31:07 -0000 SSB3YXMgaG9waW5nIHBlb3BsZSB3aXRoIGV4cGVydGlzZSBvbiB0aGlzIGlzc3VlIGNvdWxk IGNoaW1lIGluIGFib3V0DQp0aGUgaW1wbGljYXRpb25zIG9mIHJ1bm5pbmcgd2l0aCB0aGlz IHBhdGNoIG9uIEZyZWVCU0QgMTEgd2hpY2ggSSBrbm93DQppcyBub3cgb3V0IG9mIHN1cHBv cnQuDQoNClRoaXMgcGF0Y2ggaXMgaW5zcGlyZWQgZnJvbQ0KDQpodHRwczovL2Z0cC5vcGVu YnNkLm9yZy9wdWIvT3BlbkJTRC9wYXRjaGVzLzYuOC9jb21tb24vMDMyX2NlcnQucGF0Y2gu c2lnDQp3aXRoIGNhdmVhdHMgZnJvbQ0KaHR0cHM6Ly93d3cub3BlbnNzbC5vcmcvYmxvZy9i bG9nLzIwMjEvMDkvMTMvTGV0c0VuY3J5cHRSb290Q2VydEV4cGlyZS8NCg0KLS0tIGNyeXB0 by9vcGVuc3NsL2NyeXB0by94NTA5L3g1MDlfdnBtLmMucHJldsKgIDIwMjEtMTAtMDENCjA5 OjE2OjUxLjc1MzUzMzAwMCAtMDQwMA0KKysrIGNyeXB0by9vcGVuc3NsL2NyeXB0by94NTA5 L3g1MDlfdnBtLmPCoMKgwqDCoMKgwqAgMjAyMS0xMC0wMQ0KMDk6MTk6MzkuNzA4MTA2MDAw IC0wNDAwDQpAQCAtNTM3LDcgKzUzNyw3IEBADQrCoMKgwqDCoMKgICJkZWZhdWx0IizCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAvKiBYNTA5IGRlZmF1bHQgcGFyYW1ldGVy cyAqLw0KwqDCoMKgwqDCoCAwLMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoCAvKiBDaGVjayB0aW1lICovDQrCoMKgwqDCoMKgIDAswqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIC8qIGludGVybmFsIGZs YWdzICovDQotwqDCoMKgwqAgMCzCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqAgLyogZmxhZ3MgKi8NCivCoMKgwqDCoCBYNTA5X1ZfRkxBR19UUlVT VEVEX0ZJUlNULCAvKiBmbGFncyAqLw0KwqDCoMKgwqDCoCAwLMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAvKiBwdXJwb3NlICovDQrCoMKgwqDC oMKgIDAswqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg IC8qIHRydXN0ICovDQrCoMKgwqDCoMKgIDEwMCzCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoCAvKiBkZXB0aCAqLw0KDQoNCkFtIEkgb3BlbmluZyBteXNl bGYgdXAgdG8gbW9yZSBpc3N1ZXMgYnkgZG9pbmcgdGhpcyA/IFRoaXMgaXMgaG93ZXZlciB0 aGUgZGVmYXVsdCBvbiBSRUxFTkdfMTIgYW5kIGFib3ZlLg0KDQoJLS0tTWlrZQ0KDQo= From owner-freebsd-security@freebsd.org Fri Oct 1 22:51:13 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CDF986B7058 for ; Fri, 1 Oct 2021 22:51:13 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HLlhd07Hkz3Psh for ; Fri, 1 Oct 2021 22:51:12 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 191Mp5nc017168 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Oct 2021 15:51:05 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 191Mp4uq017167; Fri, 1 Oct 2021 15:51:04 -0700 (PDT) (envelope-from jmg) Date: Fri, 1 Oct 2021 15:51:04 -0700 From: John-Mark Gurney To: mike tancsa Cc: "freebsd-security@freebsd.org" Subject: Re: openssl patch for RELENG_11 to work around Lets Encrypt work around Message-ID: <20211001225104.GA74427@funkthat.com> Mail-Followup-To: mike tancsa , "freebsd-security@freebsd.org" References: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Fri, 01 Oct 2021 15:51:05 -0700 (PDT) X-Rspamd-Queue-Id: 4HLlhd07Hkz3Psh X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [0.19 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.987]; RCVD_TLS_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.98)[0.982]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2021 22:51:13 -0000 mike tancsa wrote this message on Fri, Oct 01, 2021 at 10:31 -0400: > I was hoping people with expertise on this issue could chime in about > the implications of running with this patch on FreeBSD 11 which I know > is now out of support. > > This patch is inspired from > > https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig > with caveats from > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > --- crypto/openssl/crypto/x509/x509_vpm.c.prev  2021-10-01 > 09:16:51.753533000 -0400 > +++ crypto/openssl/crypto/x509/x509_vpm.c       2021-10-01 > 09:19:39.708106000 -0400 > @@ -537,7 +537,7 @@ >       "default",                 /* X509 default parameters */ >       0,                         /* Check time */ >       0,                         /* internal flags */ > -     0,                         /* flags */ > +     X509_V_FLAG_TRUSTED_FIRST, /* flags */ >       0,                         /* purpose */ >       0,                         /* trust */ >       100,                       /* depth */ > > > Am I opening myself up to more issues by doing this ? This is however the default on RELENG_12 and above. I don't think there is any issues with that patch, but I'd recommend you just do workaround 1 in the second link, that is, remove the expired DST X3 cert, and make sure the new ISRG X1 cert is present. Either way, hosts have to be updated to support it, and this method can be done via an update to the ca_root_nss package which is less invasive than the above patch. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."