Date: Mon, 8 Jun 2020 11:47:43 +0200 From: Andrea Venturoli <ml@netfence.it> To: John Capo <jc@irbs.com> Cc: freebsd-questions@freebsd.org, ports-secteam@FreeBSD.org Subject: Re: Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired] Message-ID: <3ebe4055-d885-6591-6765-2e845a4385ff@netfence.it> In-Reply-To: <59211.198.205.123.4.1591457461.squirrel@squirrelmail.mxes.net> References: <5e1a71cd-6837-47f1-b485-c583550db48a@unixarea.de> <E8FACC8D-7BE7-4A59-ACE1-65CAFFD24715@rpi.edu> <247ae2fd-a7e8-146b-be43-47ca247cca10@netfence.it> <59211.198.205.123.4.1591457461.squirrel@squirrelmail.mxes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2020-06-06 17:31, John Capo wrote: > This worked for me to fix curl on 11.3. Get the Mozilla cert bundle from here: > > https://curl.haxx.se/ca/cacert.pem > > Replace the AddTrust External Root cert in that bundle with a new one from here: > > https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html > > Save the existing /usr/local/share/certs/ca-root-nss.crt somewhere and replace it with the modified bundle. Hello. As I said, removing the cert was enough for me; I didn't even need to add the updated one. Of course this needs to be done on each host and each jail therein... and repeated after every security/ca_root_nss update. My question was: is the project planning to solve this? How? Or are we all expected to do the work ourselves on our boxes? I guess patching security/ca_root_nss would be a fast workaround, while patching base openssl would be a lot more trouble. Will 11.4 still have this bug? bye & Thanks av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ebe4055-d885-6591-6765-2e845a4385ff>