Date: Sun, 07 Jun 2020 12:57:36 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 247044] security/ca_root_nss: Expired AddTrust certificate causes trouble on 11.3-RELEASE-p9 Message-ID: <bug-247044-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D247044 Bug ID: 247044 Summary: security/ca_root_nss: Expired AddTrust certificate causes trouble on 11.3-RELEASE-p9 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: dev2@heesakkers.info Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Assignee: ports-secteam@FreeBSD.org ca_root_nss version 3.53 still contains the expired "AddTrust External CA r= oot" and "AddTrust Class 1 CA Root". As far as I understand it, this shouldn't b= e a problem for openssl 1.1 which automatically builds a new required chain, bu= t on 11.3-RELEASE-p9, which uses openssl 1.0, validation will fail. If you're looking for en example certificate that exhibits this problem: rtvutrecht dot nl My solution was to remove the expired certificates from /usr/local/share/certs/ca-root-nss.crt I'm not sure whether this should be fixed at the FreeBSD end or the Mozilla end, I'll leave that to the maintainer to decide. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-247044-7788>