From owner-freebsd-current@freebsd.org Sun Apr 4 10:25:28 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ECF3B5D3384 for ; Sun, 4 Apr 2021 10:25:28 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FCqgC58P1z4mFh; Sun, 4 Apr 2021 10:25:27 +0000 (UTC) (envelope-from ronald-lists@klop.ws) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=klop.ws; s=mail; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=IyeOG45tAzjtKNQ81eTTt1z2evev9RutZT0FYU5eEb0=; b=bCmik7FBFsseNKLqG84aVW1G62 f7BMX6959KTeA2sDAW61R3pS193/5AsHYewhivC7zZiAt4zvg97Y3ZIpVzC7W+sEeTWfG+jYOTR61 UypGcXw4M2GVz7KmgoPK5+kMjvTeNQ75j3yB0J3qM++6WNz7OFEfY37H9HrEnS2u8OZ8=; Subject: Re: Blacklisted certificates To: Jochen Neumeister Cc: freebsd-current@freebsd.org, Christoph Moench-Tegeder References: <1503521615.53.1617193492486@localhost> <07e40f43-18e7-f467-34d6-ec977b7de544@FreeBSD.org> From: Ronald Klop Message-ID: <0cb7c70f-be2a-e22c-b5da-7a4ef7e1705b@klop.ws> Date: Sun, 4 Apr 2021 12:25:25 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: <07e40f43-18e7-f467-34d6-ec977b7de544@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.greenhost.nl X-Spam-Level: --- X-Spam-Score: -3.1 X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED, BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A autolearn=disabled version=3.4.2 X-Scan-Signature: 18b3e585b0ef946fc0f6ee9ab4fcc4ff X-Rspamd-Queue-Id: 4FCqgC58P1z4mFh X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=klop.ws header.s=mail header.b=bCmik7FB; dmarc=pass (policy=none) header.from=klop.ws; spf=pass (mx1.freebsd.org: domain of ronald-lists@klop.ws designates 195.190.28.88 as permitted sender) smtp.mailfrom=ronald-lists@klop.ws X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[klop.ws:s=mail]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:195.190.28.64/27]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[klop.ws:+]; DMARC_POLICY_ALLOW(-0.50)[klop.ws,none]; RCVD_IN_DNSWL_NONE(0.00)[195.190.28.88:from]; NEURAL_HAM_SHORT(-1.00)[-0.999]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RWL_MAILSPIKE_VERYGOOD(0.00)[195.190.28.88:from]; ASN(0.00)[asn:47172, ipnet:195.190.28.0/24, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2021 10:25:29 -0000 On 3/31/21 4:19 PM, Jochen Neumeister wrote: > > Am 31.03.21 um 14:24 schrieb Ronald Klop: >> >> Van: Jochen Neumeister >> Datum: woensdag, 31 maart 2021 13:26 >> Aan: Christoph Moench-Tegeder , >> freebsd-current@freebsd.org >> Onderwerp: Re: Blacklisted certificates >>> >>> >>> Am 31.03.21 um 13:02 schrieb Christoph Moench-Tegeder: >>> > ## Jochen Neumeister (joneum@FreeBSD.org): >>> > >>> >> Why are this certificates blacklisted? >>> > Various reasons: >>> > - Symantec (which owned Thawte and VeriSign back in the time) made >>> >    the news in a bad way: >>> > >>> https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ >>> >>> > - some certificates are simply expired >>> > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is >>> >    beyond deprecated >>> > - and basically "whatever Mozilla did", as the certificates are >>> >    imported from NSS. >>> >>> how can I ignore the certificates now? So now everyone has this >>> problem with an update >>> >>> >>> Greetings >>> Jochen >>> >>> _______________________________________________ >>> freebsd-current@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-current >>> To unsubscribe, send any mail to >>> "freebsd-current-unsubscribe@freebsd.org" >>> >>> >>> >> >> Hi, >> >> This is the proper output of installworld. So you don't have to ignore >> anything anymore. It is handled by installworld. >> > > in the next step etcupdate has another problem. I have to delete the > blacklist certificates manually. > > #cd /usr/src && etcupdate > Conflicts remain from previous update, aborting. > > > Greetings > Jochen > > I'd guess you need to run "etcupdate resolve". What is the output of "etcupdate status"? Regards, Ronald.