From owner-freebsd-questions@freebsd.org Sat Jun 6 15:31:08 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 99763336DCC for ; Sat, 6 Jun 2020 15:31:08 +0000 (UTC) (envelope-from jc@irbs.com) Received: from smtp-out-4.mxes.net (smtp-out-4.mxes.net [198.205.123.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49fNlH3N8zz48xQ for ; Sat, 6 Jun 2020 15:31:07 +0000 (UTC) (envelope-from jc@irbs.com) Received: from squirrelmail.mxes.net (squirrelmail.mxes.net [198.205.123.113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPS id AB26A75964; Sat, 6 Jun 2020 11:31:01 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mxes.net; s=mta; t=1591457463; bh=PFzRxswKlSsGjeGuUixB9uvPU3lFW8SN5KtataD/g6E=; h=Message-ID:In-Reply-To:References:Date:Subject:From:To:Reply-To: MIME-Version:Content-Type; b=oLosCn/+vNaFGNrmUSHbw6UyrbKq7Ei/xJ5u6GA+48XVhgj2qFxzH4+73Byrhbg5p Z01Eyjby8sdN/q8BQy6u0twyFGWolD4S2W4vxksF0UP+8nuKZ08L/3SNmPIm8xCan7 KIHKtgnR+k5f2FkyKklRNkshJizpKUBbKbOpKZKk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irbs.com; s=2018-1; t=1591457463; bh=PFzRxswKlSsGjeGuUixB9uvPU3lFW8SN5KtataD/g6E=; h=In-Reply-To:References:Date:Subject:From:To:Cc:Reply-To:From; b=Wi4DVySstFrwQX7hMJ+DmNZTHP42/TyB9n21v2DqXS49gOlhMXYbAsOofkPyZ7Qr4 ZPHUMMc5f93/yif5BDGhIdz8/xwzQkKtpz/l2hzGjnxai3sVa5azMogHt3vT0O6sH3 YLKZS84CjoutLciMSdAThgPsNutoZ5HwPjibqZ8g= Received: from squirrelmail.mxes.net (squirrelmail.mxes.net [198.205.123.113]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by squirrelmail.mxes.net (Postfix) with ESMTPSA id 5F98A75AFF; Sat, 6 Jun 2020 11:31:01 -0400 (EDT) Message-ID: <59211.198.205.123.4.1591457461.squirrel@squirrelmail.mxes.net> In-Reply-To: <247ae2fd-a7e8-146b-be43-47ca247cca10@netfence.it> References: <5e1a71cd-6837-47f1-b485-c583550db48a@unixarea.de> <247ae2fd-a7e8-146b-be43-47ca247cca10@netfence.it> Date: Sat, 6 Jun 2020 11:31:01 -0400 (EDT) Subject: Re: Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired] From: "John Capo" To: "Andrea Venturoli" Cc: freebsd-questions@freebsd.org Reply-To: "John Capo" User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Sent-To: X-Rspamd-Queue-Id: 49fNlH3N8zz48xQ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=mxes.net header.s=mta header.b=oLosCn/+; dkim=pass header.d=irbs.com header.s=2018-1 header.b=Wi4DVySs; dmarc=pass (policy=none) header.from=irbs.com; spf=pass (mx1.freebsd.org: domain of jc@irbs.com designates 198.205.123.69 as permitted sender) smtp.mailfrom=jc@irbs.com X-Spamd-Result: default: False [-3.74 / 15.00]; HAS_REPLYTO(0.00)[jc@irbs.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[mxes.net:s=mta,irbs.com:s=2018-1]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:198.205.123.0/25]; NEURAL_HAM_LONG(-1.02)[-1.018]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[mxes.net:+,irbs.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[irbs.com,none]; NEURAL_HAM_SHORT(-0.66)[-0.658]; NEURAL_HAM_MEDIUM(-0.97)[-0.968]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:19844, ipnet:198.205.122.0/23, country:US]; RCVD_TLS_ALL(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[198.205.123.69:from] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2020 15:31:08 -0000 On Fri, June 5, 2020 11:08, Andrea Venturoli wrote: > On 2020-06-01 00:16, Garance A Drosehn wrote: > > >> There is a cert from AddTrust which expired early on Saturday. I >> believe it was the cert for certificate-authority named USERTrust RSA.= This shouldn't have been a >> problem, because there is a newer cert for that same CA which has not = expired. >> >> I do not understand all the details, but apparently there is a bug in >> versions of OpenSSL which are older than version 1.1. If the older (n= ow-expired) cert is known >> on some system, it is used instead of the newer cert. And therefore t= hat cert, and every cert >> which was generated by that CA is also considered invalid. This probl= em hit us at RPI on many >> Redhat systems yesterday. >> >> >> I also saw the problem in Mail.app on some of my older MacOS systems, >> but Mail.app does not have this problem on MacOS catalina. > > I can see it too, on many sites. > > > E.g. > "openssl s_client -connect www.allmusic.com:https" passes verification > on 12.1, but fails on 11.3. > > Deleting the expired certificate from /etc/ssl/cert.pem is enough to > solve the problem. > > Is anyone looking into this? > What is the official position/suggestion for those stuck on 11.x? > Has at least a bug been reported? > This worked for me to fix curl on 11.3. Get the Mozilla cert bundle from= here: https://curl.haxx.se/ca/cacert.pem Replace the AddTrust External Root cert in that bundle with a new one fro= m here: https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificat= ionAuthority.html Save the existing /usr/local/share/certs/ca-root-nss.crt somewhere and re= place it with the modified bundle. John Capo Tuffmail.com