Date: Sun, 4 Apr 2021 12:25:25 +0200 From: Ronald Klop <ronald-lists@klop.ws> To: Jochen Neumeister <joneum@FreeBSD.org> Cc: freebsd-current@freebsd.org, Christoph Moench-Tegeder <cmt@burggraben.net> Subject: Re: Blacklisted certificates Message-ID: <0cb7c70f-be2a-e22c-b5da-7a4ef7e1705b@klop.ws> In-Reply-To: <07e40f43-18e7-f467-34d6-ec977b7de544@FreeBSD.org> References: <a201a652-cd77-17a7-03a5-2715920d1d3e@FreeBSD.org> <YGRWvWRP0DifBj%2Bm@elch.exwg.net> <b8135fce-1e3e-fce5-4be8-32cd4931cb51@FreeBSD.org> <1503521615.53.1617193492486@localhost> <07e40f43-18e7-f467-34d6-ec977b7de544@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/31/21 4:19 PM, Jochen Neumeister wrote: > > Am 31.03.21 um 14:24 schrieb Ronald Klop: >> >> Van: Jochen Neumeister <joneum@FreeBSD.org> >> Datum: woensdag, 31 maart 2021 13:26 >> Aan: Christoph Moench-Tegeder <cmt@burggraben.net>, >> freebsd-current@freebsd.org >> Onderwerp: Re: Blacklisted certificates >>> >>> >>> Am 31.03.21 um 13:02 schrieb Christoph Moench-Tegeder: >>> > ## Jochen Neumeister (joneum@FreeBSD.org): >>> > >>> >> Why are this certificates blacklisted? >>> > Various reasons: >>> > - Symantec (which owned Thawte and VeriSign back in the time) made >>> > the news in a bad way: >>> > >>> https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ >>> >>> > - some certificates are simply expired >>> > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is >>> > beyond deprecated >>> > - and basically "whatever Mozilla did", as the certificates are >>> > imported from NSS. >>> >>> how can I ignore the certificates now? So now everyone has this >>> problem with an update >>> >>> >>> Greetings >>> Jochen >>> >>> _______________________________________________ >>> freebsd-current@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current >>> To unsubscribe, send any mail to >>> "freebsd-current-unsubscribe@freebsd.org" >>> >>> >>> >> >> Hi, >> >> This is the proper output of installworld. So you don't have to ignore >> anything anymore. It is handled by installworld. >> > > in the next step etcupdate has another problem. I have to delete the > blacklist certificates manually. > > #cd /usr/src && etcupdate > Conflicts remain from previous update, aborting. > > > Greetings > Jochen > > I'd guess you need to run "etcupdate resolve". What is the output of "etcupdate status"? Regards, Ronald.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0cb7c70f-be2a-e22c-b5da-7a4ef7e1705b>