From owner-freebsd-security@freebsd.org Mon Oct 4 13:44:09 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C300367F2AC for ; Mon, 4 Oct 2021 13:44:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HNMQ10Rs5z4nb2 for ; Mon, 4 Oct 2021 13:44:08 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 194Di1VY069987 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Mon, 4 Oct 2021 09:44:02 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 194Di1gG085268 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Mon, 4 Oct 2021 09:44:01 -0400 (EDT) (envelope-from mike@sentex.net) To: "freebsd-security@freebsd.org" References: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net> <20211001225104.GA74427@funkthat.com> From: mike tancsa Subject: Re: openssl patch for RELENG_11 to work around Lets Encrypt work around Message-ID: <4d54f1ae-3989-b07e-c75a-c30755cd8bb3@sentex.net> Date: Mon, 4 Oct 2021 09:44:02 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <20211001225104.GA74427@funkthat.com> Content-Type: multipart/mixed; boundary="------------B7AEF580FB8F2C78795017A8" Content-Language: en-US X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4HNMQ10Rs5z4nb2 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [0.54 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[multipart/mixed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[sentex.net]; HAS_ATTACHMENT(0.00)[]; MIME_BASE64_TEXT_BOGUS(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_SPAM_SHORT(0.67)[0.672]; NEURAL_HAM_LONG(-0.93)[-0.931]; MIME_BASE64_TEXT(0.10)[]; CTYPE_MIXED_BOGUS(1.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Oct 2021 13:44:09 -0000 This is a multi-part message in MIME format. --------------B7AEF580FB8F2C78795017A8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 T24gMTAvMS8yMDIxIDY6NTEgUE0sIEpvaG4tTWFyayBHdXJuZXkgd3JvdGU6DQo+IG1pa2Ug dGFuY3NhIHdyb3RlIHRoaXMgbWVzc2FnZSBvbiBGcmksIE9jdCAwMSwgMjAyMSBhdCAxMDoz MSAtMDQwMDoNCj4+IEkgd2FzIGhvcGluZyBwZW9wbGUgd2l0aCBleHBlcnRpc2Ugb24gdGhp cyBpc3N1ZSBjb3VsZCBjaGltZSBpbiBhYm91dA0KPj4gdGhlIGltcGxpY2F0aW9ucyBvZiBy dW5uaW5nIHdpdGggdGhpcyBwYXRjaCBvbiBGcmVlQlNEIDExIHdoaWNoIEkga25vdw0KPj4g aXMgbm93IG91dCBvZiBzdXBwb3J0Lg0KPj4NCj4+IFRoaXMgcGF0Y2ggaXMgaW5zcGlyZWQg ZnJvbQ0KPj4NCj4+IGh0dHBzOi8vZnRwLm9wZW5ic2Qub3JnL3B1Yi9PcGVuQlNEL3BhdGNo ZXMvNi44L2NvbW1vbi8wMzJfY2VydC5wYXRjaC5zaWcNCj4+IHdpdGggY2F2ZWF0cyBmcm9t DQo+PiBodHRwczovL3d3dy5vcGVuc3NsLm9yZy9ibG9nL2Jsb2cvMjAyMS8wOS8xMy9MZXRz RW5jcnlwdFJvb3RDZXJ0RXhwaXJlLw0KPj4NCj4+IC0tLSBjcnlwdG8vb3BlbnNzbC9jcnlw dG8veDUwOS94NTA5X3ZwbS5jLnByZXbCoCAyMDIxLTEwLTAxDQo+PiAwOToxNjo1MS43NTM1 MzMwMDAgLTA0MDANCj4+ICsrKyBjcnlwdG8vb3BlbnNzbC9jcnlwdG8veDUwOS94NTA5X3Zw bS5jwqDCoMKgwqDCoMKgIDIwMjEtMTAtMDENCj4+IDA5OjE5OjM5LjcwODEwNjAwMCAtMDQw MA0KPj4gQEAgLTUzNyw3ICs1MzcsNyBAQA0KPj4gwqDCoMKgwqDCoCAiZGVmYXVsdCIswqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgLyogWDUwOSBkZWZhdWx0IHBhcmFtZXRl cnMgKi8NCj4+IMKgwqDCoMKgwqAgMCzCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqAgLyogQ2hlY2sgdGltZSAqLw0KPj4gwqDCoMKgwqDCoCAwLMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAvKiBpbnRl cm5hbCBmbGFncyAqLw0KPj4gLcKgwqDCoMKgIDAswqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIC8qIGZsYWdzICovDQo+PiArwqDCoMKgwqAgWDUw OV9WX0ZMQUdfVFJVU1RFRF9GSVJTVCwgLyogZmxhZ3MgKi8NCj4+IMKgwqDCoMKgwqAgMCzC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgLyogcHVy cG9zZSAqLw0KPj4gwqDCoMKgwqDCoCAwLMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoCAvKiB0cnVzdCAqLw0KPj4gwqDCoMKgwqDCoCAxMDAswqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgLyogZGVwdGggKi8N Cj4+DQo+Pg0KPj4gQW0gSSBvcGVuaW5nIG15c2VsZiB1cCB0byBtb3JlIGlzc3VlcyBieSBk b2luZyB0aGlzID8gVGhpcyBpcyBob3dldmVyIHRoZSBkZWZhdWx0IG9uIFJFTEVOR18xMiBh bmQgYWJvdmUuDQo+IEkgZG9uJ3QgdGhpbmsgdGhlcmUgaXMgYW55IGlzc3VlcyB3aXRoIHRo YXQgcGF0Y2gsIGJ1dCBJJ2QgcmVjb21tZW5kIHlvdQ0KPiBqdXN0IGRvIHdvcmthcm91bmQg MSBpbiB0aGUgc2Vjb25kIGxpbmssIHRoYXQgaXMsIHJlbW92ZSB0aGUgZXhwaXJlZCBEU1QN Cj4gWDMgY2VydCwgYW5kIG1ha2Ugc3VyZSB0aGUgbmV3IElTUkcgWDEgY2VydCBpcyBwcmVz ZW50Lg0KPg0KPiBFaXRoZXIgd2F5LCBob3N0cyBoYXZlIHRvIGJlIHVwZGF0ZWQgdG8gc3Vw cG9ydCBpdCwgYW5kIHRoaXMgbWV0aG9kDQo+IGNhbiBiZSBkb25lIHZpYSBhbiB1cGRhdGUg dG8gdGhlIGNhX3Jvb3RfbnNzIHBhY2thZ2Ugd2hpY2ggaXMgbGVzcw0KPiBpbnZhc2l2ZSB0 aGFuIHRoZSBhYm92ZSBwYXRjaC4NCg0KSSBndWVzcyB0aGUgb25lIGNoYWxsZW5nZSBpcyB0 aGF0IEkgbmVlZCB0byB1cGRhdGUgdGhlIGZ1dHVyZSB1cGRhdGVzLsKgDQpwa2cgdXBncmFk ZSB3aWxsIGZldGNoIHRoZSBsYXRlc3QgY2Ffcm9vdF9uc3M6IDMuNjkgLT4gMy42OV8xIGFn YWluLA0Kd2hpY2ggaGFzIHRoZSBwcm9ibGVtYXRpYyBjZXJ0LiBJIHRoZW4gbmVlZCB0byBw YXRjaCBhZ2Fpbi4gSSB3b25kZXIgaWYNCnRoaXMgaXMgd2h5IE9wZW5CU0QganVzdCB3ZW50 IHRoZSBmbGFncyB3YXkgP8KgIEdyYW50ZWQsIHRoaXMgaXMNClJFTEVOR18xMSB3aGljaCBp cyBvdXQgb2Ygc3VwcG9ydCBub3cgYW55d2F5cy7CoCBCdXQgZm9yIHRoZSBhcmNoaXZlcywN CnJlbW92aW5nIHRoZSBjZXJ0IHZpYSB0aGUgYXR0YWNoZWQgcGF0Y2ggYW5kIG1ha2luZyBz dXJlDQovdXNyL2xvY2FsL2V0Yy9zc2wvY2VydC5wZW0gcG9pbnRzIHRvDQovdXNyL2xvY2Fs L3NoYXJlL2NlcnRzL2NhLXJvb3QtbnNzLmNydCBmaXhlcyB1cCBmZXRjaCBhbmQgbGliIGZl dGNoIHVzZXJzLg0KDQoNCsKgwqDCoCAtLS1NaWtlDQoNCg0K --------------B7AEF580FB8F2C78795017A8 Content-Type: text/plain; charset=UTF-8; name="ca-cert-patch.txt" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ca-cert-patch.txt" IyBkaWZmIC11IC91c3IvbG9jYWwvc2hhcmUvY2VydHMvY2Etcm9vdC1uc3MuY3J0LnByZXYg L3Vzci9sb2NhbC9zaGFyZS9jZXJ0cy9jYS1yb290LW5zcy5jcnQKLS0tIC91c3IvbG9jYWwv c2hhcmUvY2VydHMvY2Etcm9vdC1uc3MuY3J0LnByZXYgMjAyMS0xMC0wNCAwOTozMToyNy4y NzUyOTkwMDAgLTA0MDAKKysrIC91c3IvbG9jYWwvc2hhcmUvY2VydHMvY2Etcm9vdC1uc3Mu Y3J0ICAgICAgMjAyMS0wOS0zMCAxMDo1NDozNi4wMDAwMDAwMDAgLTA0MDAKQEAgLTQxNzgs ODggKzQxNzgsNiBAQAogLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogCiAKLQotQ2VydGlm aWNhdGU6Ci0gICAgRGF0YToKLSAgICAgICAgVmVyc2lvbjogMyAoMHgyKQotICAgICAgICBT ZXJpYWwgTnVtYmVyOgotICAgICAgICAgICAgNDQ6YWY6YjA6ODA6ZDY6YTM6Mjc6YmE6ODk6 MzA6Mzk6ODY6MmU6Zjg6NDA6NmIKLSAgICAgICAgU2lnbmF0dXJlIEFsZ29yaXRobTogc2hh MVdpdGhSU0FFbmNyeXB0aW9uCi0gICAgICAgIElzc3VlcjogTyA9IERpZ2l0YWwgU2lnbmF0 dXJlIFRydXN0IENvLiwgQ04gPSBEU1QgUm9vdCBDQSBYMwotICAgICAgICBWYWxpZGl0eQot ICAgICAgICAgICAgTm90IEJlZm9yZTogU2VwIDMwIDIxOjEyOjE5IDIwMDAgR01UCi0gICAg ICAgICAgICBOb3QgQWZ0ZXIgOiBTZXAgMzAgMTQ6MDE6MTUgMjAyMSBHTVQKLSAgICAgICAg U3ViamVjdDogTyA9IERpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLiwgQ04gPSBEU1QgUm9v dCBDQSBYMwotICAgICAgICBTdWJqZWN0IFB1YmxpYyBLZXkgSW5mbzoKLSAgICAgICAgICAg IFB1YmxpYyBLZXkgQWxnb3JpdGhtOiByc2FFbmNyeXB0aW9uCi0gICAgICAgICAgICAgICAg UlNBIFB1YmxpYy1LZXk6ICgyMDQ4IGJpdCkKLSAgICAgICAgICAgICAgICBNb2R1bHVzOgot ICAgICAgICAgICAgICAgICAgICAwMDpkZjphZjplOTo5Nzo1MDowODo4Mzo1NzpiNDpjYzo2 Mjo2NTpmNjo5MDoKLSAgICAgICAgICAgICAgICAgICAgODI6ZWM6Yzc6ZDM6MmM6NmI6MzA6 Y2E6NWI6ZWM6ZDk6YzM6N2Q6Yzc6NDA6Ci0gICAgICAgICAgICAgICAgICAgIGMxOjE4OjE0 OjhiOmUwOmU4OjMzOjc2OjQ5OjJhOmUzOjNmOjIxOjQ5OjkzOgotICAgICAgICAgICAgICAg ICAgICBhYzo0ZTowZTphZjozZTo0ODpjYjo2NTplZTpmYzpkMzoyMTowZjo2NTpkMjoKLSAg ICAgICAgICAgICAgICAgICAgMmE6ZDk6MzI6OGY6OGM6ZTU6Zjc6Nzc6YjA6MTI6N2I6YjU6 OTU6YzA6ODk6Ci0gICAgICAgICAgICAgICAgICAgIGEzOmE5OmJhOmVkOjczOjJlOjdhOjBj OjA2OjMyOjgzOmEyOjdlOjhhOjE0OgotICAgICAgICAgICAgICAgICAgICAzMDpjZDoxMTph MDplMToyYTozODpiOTo3OTowYTozMTpmZDo1MDpiZDo4MDoKLSAgICAgICAgICAgICAgICAg ICAgNjU6ZGY6Yjc6NTE6NjM6ODM6Yzg6ZTI6ODg6NjE6ZWE6NGI6NjE6ODE6ZWM6Ci0gICAg ICAgICAgICAgICAgICAgIDUyOjZiOmI5OmEyOmUyOjRiOjFhOjI4OjlmOjQ4OmEzOjllOjBj OmRhOjA5OgotICAgICAgICAgICAgICAgICAgICA4ZTozZToxNzoyZToxZTpkZDoyMDpkZjo1 YjpjNjoyYTo4YTphYjoyZTpiZDoKLSAgICAgICAgICAgICAgICAgICAgNzA6YWQ6YzU6MGI6 MWE6MjU6OTA6NzQ6NzI6YzU6N2I6NmE6YWI6MzQ6ZDY6Ci0gICAgICAgICAgICAgICAgICAg IDMwOjg5OmZmOmU1OjY4OjEzOjdiOjU0OjBiOmM4OmQ2OmFlOmVjOjVhOjljOgotICAgICAg ICAgICAgICAgICAgICA5MjoxZTozZDo2NDpiMzo4YzpjNjpkZjpiZjpjOTo0MTo3MDplYzox Njo3MjoKLSAgICAgICAgICAgICAgICAgICAgZDU6MjY6ZWM6Mzg6NTU6Mzk6NDM6ZDA6ZmM6 ZmQ6MTg6NWM6NDA6ZjE6OTc6Ci0gICAgICAgICAgICAgICAgICAgIGViOmQ1OjlhOjliOjhk OjFkOmJhOmRhOjI1OmI5OmM2OmQ4OmRmOmMxOjE1OgotICAgICAgICAgICAgICAgICAgICAw MjozYTphYjpkYTo2ZTpmMTozZToyZTpmNTo1YzowODo5YzozYzpkNjo4MzoKLSAgICAgICAg ICAgICAgICAgICAgNjk6ZTQ6MTA6OWI6MTk6MmE6YjY6Mjk6NTc6ZTM6ZTU6M2Q6OWI6OWY6 ZjA6Ci0gICAgICAgICAgICAgICAgICAgIDAyOjVkCi0gICAgICAgICAgICAgICAgRXhwb25l bnQ6IDY1NTM3ICgweDEwMDAxKQotICAgICAgICBYNTA5djMgZXh0ZW5zaW9uczoKLSAgICAg ICAgICAgIFg1MDl2MyBCYXNpYyBDb25zdHJhaW50czogY3JpdGljYWwKLSAgICAgICAgICAg ICAgICBDQTpUUlVFCi0gICAgICAgICAgICBYNTA5djMgS2V5IFVzYWdlOiBjcml0aWNhbAot ICAgICAgICAgICAgICAgIENlcnRpZmljYXRlIFNpZ24sIENSTCBTaWduCi0gICAgICAgICAg ICBYNTA5djMgU3ViamVjdCBLZXkgSWRlbnRpZmllcjogCi0gICAgICAgICAgICAgICAgQzQ6 QTc6QjE6QTQ6N0I6MkM6NzE6RkE6REI6RTE6NEI6OTA6NzU6RkY6QzQ6MTU6NjA6ODU6ODk6 MTAKLSAgICBTaWduYXR1cmUgQWxnb3JpdGhtOiBzaGExV2l0aFJTQUVuY3J5cHRpb24KLSAg ICAgICAgIGEzOjFhOjJjOjliOjE3OjAwOjVjOmE5OjFlOmVlOjI4OjY2OjM3OjNhOmJmOjgz OmM3OjNmOgotICAgICAgICAgNGI6YzM6MDk6YTA6OTU6MjA6NWQ6ZTM6ZDk6NTk6NDQ6ZDI6 M2U6MGQ6M2U6YmQ6OGE6NGI6Ci0gICAgICAgICBhMDo3NDoxZjpjZToxMDo4Mjo5Yzo3NDox YToxZDo3ZTo5ODoxYTpkZDpjYjoxMzo0YjpiMzoKLSAgICAgICAgIDIwOjQ0OmU0OjkxOmU5 OmNjOmZjOjdkOmE1OmRiOjZhOmU1OmZlOmU2OmZkOmUwOjRlOmRkOgotICAgICAgICAgYjc6 MDA6M2E6YjU6NzA6NDk6YWY6ZjI6ZTU6ZWI6MDI6ZjE6ZDE6MDI6OGI6MTk6Y2I6OTQ6Ci0g ICAgICAgICAzYTo1ZTo0ODpjNDoxODoxZTo1ODoxOTo1ZjoxZTowMjo1YTpmMDowYzpmMTpi MTphZDphOToKLSAgICAgICAgIGRjOjU5Ojg2OjhiOjZlOmU5OjkxOmY1Ojg2OmNhOmZhOmI5 OjY2OjMzOmFhOjU5OjViOmNlOgotICAgICAgICAgZTI6YTc6MTY6NzM6NDc6Y2I6MmI6Y2M6 OTk6YjA6Mzc6NDg6Y2Y6ZTM6NTY6NGI6ZjU6Y2Y6Ci0gICAgICAgICAwZjowYzo3MjozMjo4 NzpjNjpmMDo0NDpiYjo1Mzo3Mjo2ZDo0MzpmNToyNjo0ODo5YTo1MjoKLSAgICAgICAgIDY3 OmI3OjU4OmFiOmZlOjY3Ojc2OjcxOjc4OmRiOjBkOmEyOjU2OjE0OjEzOjM5OjI0OjMxOgot ICAgICAgICAgODU6YTI6YTg6MDI6NWE6MzA6NDc6ZTE6ZGQ6NTA6MDc6YmM6MDI6MDk6OTA6 MDA6ZWI6NjQ6Ci0gICAgICAgICA2Mzo2MDo5YjoxNjpiYzo4ODpjOToxMjplNjpkMjo3ZDo5 MTo4YjpmOTozZDozMjo4ZDo2NToKLSAgICAgICAgIGI0OmU5OjdjOmIxOjU3Ojc2OmVhOmM1 OmI2OjI4OjM5OmJmOjE1OjY1OjFjOmM4OmY2Ojc3OgotICAgICAgICAgOTY6NmE6MGE6OGQ6 Nzc6MGI6ZDg6OTE6MGI6MDQ6OGU6MDc6ZGI6Mjk6YjY6MGE6ZWU6OWQ6Ci0gICAgICAgICA4 MjozNTozNToxMAotU0hBMSBGaW5nZXJwcmludD1EQTpDOTowMjo0Rjo1NDpEODpGNjpERjo5 NDo5Mzo1RjpCMTo3MzoyNjozODpDQTo2QTpENzo3QzoxMwotLS0tLS1CRUdJTiBDRVJUSUZJ Q0FURS0tLS0tCi1NSUlEU2pDQ0FqS2dBd0lCQWdJUVJLK3dnTmFqSjdxSk1EbUdMdmhBYXpB TkJna3Foa2lHOXcwQkFRVUZBREEvCi1NU1F3SWdZRFZRUUtFeHRFYVdkcGRHRnNJRk5wWjI1 aGRIVnlaU0JVY25WemRDQkRieTR4RnpBVkJnTlZCQU1UCi1Ea1JUVkNCU2IyOTBJRU5CSUZn ek1CNFhEVEF3TURrek1ESXhNVEl4T1ZvWERUSXhNRGt6TURFME1ERXhOVm93Ci1QekVrTUNJ R0ExVUVDaE1iUkdsbmFYUmhiQ0JUYVdkdVlYUjFjbVVnVkhKMWMzUWdRMjh1TVJjd0ZRWURW UVFECi1FdzVFVTFRZ1VtOXZkQ0JEUVNCWU16Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURn Z0VQQURDQ0FRb0NnZ0VCCi1BTit2NlpkUUNJTlh0TXhpWmZhUWd1ekgweXhyTU1wYjdObkRm Y2RBd1JnVWkrRG9NM1pKS3VNL0lVbVRyRTRPCi1yejVJeTJYdS9OTWhEMlhTS3RreWo0emw5 M2V3RW51MWxjQ0pvNm02N1hNdWVnd0dNb09pZm9vVU1NMFJvT0VxCi1PTGw1Q2pIOVVMMkFa ZCszVVdPRHlPS0lZZXBMWVlIc1VtdTVvdUpMR2lpZlNLT2VETm9Kamo0WExoN2RJTjliCi14 aXFLcXk2OWNLM0ZDeG9sa0hSeXhYdHFxelRXTUluLzVXZ1RlMVFMeU5hdTdGcWNraDQ5WkxP TXh0Ky95VUZ3Ci03Qlp5MVNic09GVTVROUQ4L1JoY1FQR1g2OVdhbTQwZHV0b2x1Y2JZMzhF VkFqcXIybTd4UGk3MVhBaWNQTmFECi1hZVFRbXhrcXRpbFg0K1U5bTUvd0FsMENBd0VBQWFO Q01FQXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU9CZ05WCi1IUThCQWY4RUJBTUNBUVl3SFFZ RFZSME9CQllFRk1TbnNhUjdMSEg2MitGTGtIWC94QlZnaFlrUU1BMEdDU3FHCi1TSWIzRFFF QkJRVUFBNElCQVFDakdpeWJGd0JjcVI3dUtHWTNPcitEeHo5THd3bWdsU0JkNDlsWlJOSStE VDY5Ci1pa3VnZEIvT0VJS2NkQm9kZnBnYTNjc1RTN01nUk9TUjZjejhmYVhiYXVYKzV2M2dU dDIzQURxMWNFbXY4dVhyCi1BdkhSQW9zWnk1UTZYa2pFR0I1WUdWOGVBbHJ3RFBHeHJhbmNX WWFMYnVtUjlZYksrcmxtTTZwWlc4N2lweFp6Ci1SOHNyekptd04walA0MVpMOWM4UERISXlo OGJ3Ukx0VGNtMUQ5U1pJbWxKbnQxaXIvbWQyY1hqYkRhSldGQk01Ci1KREdGb3FnQ1dqQkg0 ZDFRQjd3Q0NaQUE2MlJqWUpzV3ZJakpFdWJTZlpHTCtUMHlqV1cwNlh5eFYzYnF4YllvCi1P YjhWWlJ6STluZVdhZ3FOZHd2WWtRc0VqZ2ZiS2JZSzdwMkNOVFVRCi0tLS0tLUVORCBDRVJU SUZJQ0FURS0tLS0tCi0KLQotCiBDZXJ0aWZpY2F0ZToKICAgICBEYXRhOgogICAgICAgICBW ZXJzaW9uOiAzICgweDIpCg== --------------B7AEF580FB8F2C78795017A8-- From eugen@grosbein.net Tue Oct 5 06:40:05 2021 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3AD9417CAD09 for ; Tue, 5 Oct 2021 06:40:23 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HNnyZ0CkHz3q8W for ; Tue, 5 Oct 2021 06:40:21 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 1956eCsQ043443 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 5 Oct 2021 06:40:13 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: mike@sentex.net Received: from [10.58.0.10] (dadvw [10.58.0.10]) by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 1956eBgh093173 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 5 Oct 2021 13:40:11 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: openssl patch for RELENG_11 to work around Lets Encrypt work around To: mike tancsa , "freebsd-security@freebsd.org" References: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net> <20211001225104.GA74427@funkthat.com> <4d54f1ae-3989-b07e-c75a-c30755cd8bb3@sentex.net> From: Eugene Grosbein Message-ID: <33721447-02f8-c63e-bc99-f6bdda6d3cf1@grosbein.net> Date: Tue, 5 Oct 2021 13:40:05 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 In-Reply-To: <4d54f1ae-3989-b07e-c75a-c30755cd8bb3@sentex.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT autolearn=disabled version=3.4.2 X-Spam-Report: * -0.0 SHORTCIRCUIT No description available. * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 4HNnyZ0CkHz3q8W X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=fail (mx1.freebsd.org: domain of eugen@grosbein.net does not designate 2a01:4f8:c2c:26d8::2 as permitted sender) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-0.84 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_SPF_FAIL(1.00)[-all]; FREEFALL_USER(0.00)[eugen]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_MEDIUM(0.07)[0.072]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.81)[-0.809]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-ThisMailContainsUnwantedMimeParts: N 04.10.2021 20:44, mike tancsa wrote: > I guess the one challenge is that I need to update the future updates. > pkg upgrade will fetch the latest ca_root_nss: 3.69 -> 3.69_1 again, > which has the problematic cert. I then need to patch again. I wonder if > this is why OpenBSD just went the flags way ? Granted, this is > RELENG_11 which is out of support now anyways. But for the archives, > removing the cert via the attached patch and making sure > /usr/local/etc/ssl/cert.pem points to > /usr/local/share/certs/ca-root-nss.crt fixes up fetch and lib fetch users. It is meaningless to run pkg upgrade for stable/11 these days.