From nobody Sat Oct  7 14:59:31 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S2pP54t5Wz4wdTY
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sat,  7 Oct 2023 14:59:53 +0000 (UTC)
	(envelope-from trashcan@ellael.org)
Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [135.125.211.209])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S2pP44dT4z4kXC
	for <freebsd-security@freebsd.org>; Sat,  7 Oct 2023 14:59:52 +0000 (UTC)
	(envelope-from trashcan@ellael.org)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=ellael.org header.s=dkim header.b=oSsdlngr;
	spf=pass (mx1.freebsd.org: domain of trashcan@ellael.org designates 135.125.211.209 as permitted sender) smtp.mailfrom=trashcan@ellael.org;
	dmarc=pass (policy=quarantine) header.from=ellael.org
Received: from smtpclient.apple (p5b2e5fa5.dip0.t-ipconnect.de [91.46.95.165])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 4S2pNs5Cg3zHsQ;
	Sat,  7 Oct 2023 16:59:41 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ellael.org; s=dkim;
	t=1696690781;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=K8BlliVo9OC71RnqXz7oYYzzTb+/IeZyQEXeDSpgdDE=;
	b=oSsdlngrJZnbXnsxKSYkSm9jUib/LoUJaokQMFaCiD7zEfsl52DChj8FLCHD9hDxXjrT8P
	Nq+eNqBMNbxDjbVub/YMXUCkp+8XJ3CBwHxTWjO31KQiK66LHGxd4BiqWsVZpn2kJ1RdCc
	AFzRZmVn41iXxEoOJYirrXZ6EMKq7YGE675vTuiAFQt7vouQ1UwP4PYyOQeiVDelLhCuRN
	yDDHEfJuKHMZnHSo+Vkjne6CfEKJo2ufEh9bKzobDWvyLiSHGk7mHZCbC5wfxZuHUYy7/I
	7EoYNHbKN1iBUv10roMscF4wVTz4mKdh/FSfmGduaE+6XUlY2ziMcZeP1+5JAw==
From: Michael Grimm <trashcan@ellael.org>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Subject: net/openntpd with constraint stops working after recent
 security/ca_root_nss upgrade
Message-Id: <123E9280-CBF1-4E00-B803-86AE4438C9D7@ellael.org>
Date: Sat, 7 Oct 2023 16:59:31 +0200
To: freebsd-ports@freebad.org,
 freebsd-security@freebsd.org
X-Mailer: Apple Mail (2.3731.700.6)
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.32 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.92)[-0.920];
	MV_CASE(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[ellael.org,quarantine];
	R_DKIM_ALLOW(-0.20)[ellael.org:s=dkim];
	R_SPF_ALLOW(-0.20)[+ip4:135.125.211.209];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	RCVD_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:16276, ipnet:135.125.128.0/17, country:FR];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	RCVD_TLS_ALL(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	DKIM_TRACE(0.00)[ellael.org:+];
	MID_RHS_MATCH_FROM(0.00)[];
	ARC_NA(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	TO_DN_NONE(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspamd-Queue-Id: 4S2pP44dT4z4kXC

Hi

I am running net/openntpd with a constraint:

	=E2=80=A6
	constraint from "9.9.9.9"

After the recent upgrade of security/ca_root_nss to 3.93_1 I noticed a =
lot of warning messages (see end of mail).

Now, net/openntpd 6.8p1_7,2 stopped working:

	Oct  7 09:39:53 <daemon.err> kaan-bock ntpd[932]: constraints =
configured but none available
	Oct  7 09:39:53 <daemon.crit> kaan-bock ntpd[934]: constraint: =
failed to load constraint ca

I had to remove that constraint from ntpd.conf in order to get ntpd =
working again.

Is this a bug or feature with recent security/ca_root_nss?

Thanks and regards,
Michael




[13/58] Extracting ca_root_nss-3.93_1: 100%
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Skipping untrusted certificate =
/usr/share/certs/trusted/AddTrust_External_Root.pem =
(/etc/ssl/untrusted/157753a5.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem =
(/etc/ssl/untrusted/861a399d.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Camerfirma_Chambers_of_Commerce_Root.pem =
(/etc/ssl/untrusted/f90208f7.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Camerfirma_Global_Chambersign_Root.pem =
(/etc/ssl/untrusted/cb59f961.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Certum_Root_CA.pem =
(/etc/ssl/untrusted/442adcac.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Chambers_of_Commerce_Root_-_2008.pem =
(/etc/ssl/untrusted/c47d9980.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/D-TRUST_Root_CA_3_2013.pem =
(/etc/ssl/untrusted/0b7c536a.0)
Skipping untrusted certificate /usr/share/certs/trusted/EC-ACC.pem =
(/etc/ssl/untrusted/349f2832.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/EE_Certification_Centre_Root_CA.pem =
(/etc/ssl/untrusted/128805a3.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/GeoTrust_Global_CA.pem =
(/etc/ssl/untrusted/2c543cd1.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem=
 (/etc/ssl/untrusted/116bf586.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem=
 (/etc/ssl/untrusted/e2799e36.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem =
(/etc/ssl/untrusted/480720ec.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem =
(/etc/ssl/untrusted/8867006a.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/GeoTrust_Universal_CA.pem =
(/etc/ssl/untrusted/ad088e1d.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Global_Chambersign_Root_-_2008.pem =
(/etc/ssl/untrusted/0c4c9b6c.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/LuxTrust_Global_Root_2.pem =
(/etc/ssl/untrusted/def36a68.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem =
(/etc/ssl/untrusted/b1b8a7f3.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/QuoVadis_Root_CA.pem =
(/etc/ssl/untrusted/080911ac.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Sonera_Class_2_Root_CA.pem =
(/etc/ssl/untrusted/9c2e7d30.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem =
(/etc/ssl/untrusted/5c44d531.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem =
(/etc/ssl/untrusted/5a4d6896.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/SwissSign_Platinum_CA_-_G2.pem =
(/etc/ssl/untrusted/a8dee976.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Aut=
hority_-_G4.pem (/etc/ssl/untrusted/62744ee1.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Aut=
hority_-_G6.pem (/etc/ssl/untrusted/26312675.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Aut=
hority_-_G4.pem (/etc/ssl/untrusted/4d4ba017.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Aut=
hority_-_G6.pem (/etc/ssl/untrusted/1320b215.0)
Skipping untrusted certificate /usr/share/certs/trusted/Taiwan_GRCA.pem =
(/etc/ssl/untrusted/6410666e.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem =
(/etc/ssl/untrusted/c089bbbd.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem =
(/etc/ssl/untrusted/ba89ed3b.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/thawte_Primary_Root_CA.pem =
(/etc/ssl/untrusted/2e4eed3c.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Trustis_FPS_Root_CA.pem =
(/etc/ssl/untrusted/d853d49e.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Verisign_Class_1_Public_Primary_Certification_Aut=
hority_-_G3.pem (/etc/ssl/untrusted/ee1365c0.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Verisign_Class_2_Public_Primary_Certification_Aut=
hority_-_G3.pem (/etc/ssl/untrusted/dc45b0bd.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Aut=
hority_-_G3.pem (/etc/ssl/untrusted/c0ff1f52.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Aut=
hority_-_G4.pem (/etc/ssl/untrusted/7d0b38bd.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Aut=
hority_-_G5.pem (/etc/ssl/untrusted/b204d74a.0)
Skipping untrusted certificate =
/usr/share/certs/trusted/VeriSign_Universal_Root_Certification_Authority.p=
em (/etc/ssl/untrusted/c01cdfa2.0)
Scanning /usr/local/share/certs for certificates...