Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Apr 2021 12:25:25 +0200
From:      Ronald Klop <ronald-lists@klop.ws>
To:        Jochen Neumeister <joneum@FreeBSD.org>
Cc:        freebsd-current@freebsd.org, Christoph Moench-Tegeder <cmt@burggraben.net>
Subject:   Re: Blacklisted certificates
Message-ID:  <0cb7c70f-be2a-e22c-b5da-7a4ef7e1705b@klop.ws>
In-Reply-To: <07e40f43-18e7-f467-34d6-ec977b7de544@FreeBSD.org>
References:  <a201a652-cd77-17a7-03a5-2715920d1d3e@FreeBSD.org> <YGRWvWRP0DifBj%2Bm@elch.exwg.net> <b8135fce-1e3e-fce5-4be8-32cd4931cb51@FreeBSD.org> <1503521615.53.1617193492486@localhost> <07e40f43-18e7-f467-34d6-ec977b7de544@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 3/31/21 4:19 PM, Jochen Neumeister wrote:
> 
> Am 31.03.21 um 14:24 schrieb Ronald Klop:
>>
>> Van: Jochen Neumeister <joneum@FreeBSD.org>
>> Datum: woensdag, 31 maart 2021 13:26
>> Aan: Christoph Moench-Tegeder <cmt@burggraben.net>, 
>> freebsd-current@freebsd.org
>> Onderwerp: Re: Blacklisted certificates
>>>
>>>
>>> Am 31.03.21 um 13:02 schrieb Christoph Moench-Tegeder:
>>> > ## Jochen Neumeister (joneum@FreeBSD.org):
>>> >
>>> >> Why are this certificates blacklisted?
>>> > Various reasons:
>>> > - Symantec (which owned Thawte and VeriSign back in the time) made
>>> >    the news in a bad way:
>>> > 
>>> https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ 
>>>
>>> > - some certificates are simply expired
>>> > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is
>>> >    beyond deprecated
>>> > - and basically "whatever Mozilla did", as the certificates are
>>> >    imported from NSS.
>>>
>>> how can I ignore the certificates now? So now everyone has this 
>>> problem with an update
>>>
>>>
>>> Greetings
>>> Jochen
>>>
>>> _______________________________________________
>>> freebsd-current@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>>> To unsubscribe, send any mail to 
>>> "freebsd-current-unsubscribe@freebsd.org"
>>>
>>>
>>>
>>
>> Hi,
>>
>> This is the proper output of installworld. So you don't have to ignore 
>> anything anymore. It is handled by installworld.
>>
> 
> in the next step etcupdate has another problem. I have to delete the 
> blacklist certificates manually.
> 
> #cd /usr/src && etcupdate
> Conflicts remain from previous update, aborting.
> 
> 
> Greetings
> Jochen
> 
> 



I'd guess you need to run "etcupdate resolve". What is the output of 
"etcupdate status"?

Regards,
Ronald.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0cb7c70f-be2a-e22c-b5da-7a4ef7e1705b>