From owner-freebsd-current@freebsd.org Wed Mar 31 11:02:26 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0569D5C3B16 for ; Wed, 31 Mar 2021 11:02:26 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from smtp.burggraben.net (smtp.burggraben.net [88.198.69.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.burggraben.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F9Ngh6y8Lz4vWB for ; Wed, 31 Mar 2021 11:02:24 +0000 (UTC) (envelope-from cmt@burggraben.net) Received: from elch.exwg.net (elch.exwg.net [IPv6:2001:470:7120:1:127b:44ff:fe4f:148d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "elch.exwg.net", Issuer "R3" (verified OK)) by smtp.burggraben.net (Postfix) with ESMTPS id 41852C0030C for ; Wed, 31 Mar 2021 13:02:22 +0200 (CEST) Received: by elch.exwg.net (Postfix, from userid 1000) id D6358139857; Wed, 31 Mar 2021 13:02:21 +0200 (CEST) Date: Wed, 31 Mar 2021 13:02:21 +0200 From: Christoph Moench-Tegeder To: freebsd-current@freebsd.org Subject: Re: Blacklisted certificates Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.0.6 (2021-03-06) X-Rspamd-Queue-Id: 4F9Ngh6y8Lz4vWB X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of cmt@burggraben.net designates 88.198.69.140 as permitted sender) smtp.mailfrom=cmt@burggraben.net X-Spamd-Result: default: False [-2.24 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[cmt]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[88.198.69.140:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:88.198.69.140]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[88.198.69.140:from:127.0.2.255]; DMARC_NA(0.00)[burggraben.net]; NEURAL_SPAM_SHORT(0.06)[0.065]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_IN_DNSWL_NONE(0.00)[88.198.69.140:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:88.198.0.0/16, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2021 11:02:26 -0000 ## Jochen Neumeister (joneum@FreeBSD.org): > Why are this certificates blacklisted? Various reasons: - Symantec (which owned Thawte and VeriSign back in the time) made the news in a bad way: https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ - some certificates are simply expired - some certificates use SHA-1 ("sha1WithRSAEncryption") which is beyond deprecated - and basically "whatever Mozilla did", as the certificates are imported from NSS. Regards, Christoph -- Spare Space