From owner-freebsd-current@freebsd.org Wed Mar 31 12:03:39 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3F1925C5E88 for ; Wed, 31 Mar 2021 12:03:39 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F9Q2L1GJWz3Fnh for ; Wed, 31 Mar 2021 12:03:37 +0000 (UTC) (envelope-from freebsd@grem.de) Received: by mail.evolve.de (OpenSMTPD) with ESMTP id f92672c1; Wed, 31 Mar 2021 12:03:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=grem.de; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=20180501; bh=14Dn6CuJ H17O2NZYg8Q2J8vVsfs=; b=YlINdZyngqWEMV+nRk74XbNl0t5bponUFhR2/BKA 74FJudOcTudSM2fH+Ml8hofC+PJ9B0bP9aFF9ZAs1G4T3faecaK8WLGfea9bEi+v XmFptUcDL4eR8tPPmY/XbZlLCvhsAJNrpvJa7MqhqiOSnbWEz3UBQ4io8qjOUpvq XWglB274koUOT87KL22eaD3xsgVaOf8Fxfkb7aTe83HkEHhZ9Ae18HlkGgw1DaKx qaXnom/6msBKZyh18Xf1tfG8O4oWaSN7asdiXr+cAmscnq51MGSh/wL5ILv/yK9a 4of21Mf4rh/XhTMvMy6ANnX8ntBU7LIP8LhFhzvA8pnsMg== DomainKey-Signature: a=rsa-sha1; c=nofws; d=grem.de; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=20180501; b=dP uyXTJwel3c/sZCzYAeO6M3Zsc/sihVlZWbplThrkzfHjS6yPqg4X2uwq8siEyTNb ddpOBCL/STccpJdxXkZNPIcgBX4Bj90eM63lv8DKQnJJvwoFOIfMFFXgv+nGbUXp nS/JKHx3y+btA2RZjLKsVKqYE3cvEQGa3IgwUrBwMVYbqYvvvJxKqf6mwZsNGkg+ GWIWPTvMiZjGMn970GPw0NMeaI7+2Ov4+umpOYoNDD53YGTo8ZYqpCFtDZtSL/Jc Fu2dT2WdK/9fFd6uLjUZzXK/ggy76uKBwj3zP5Jc3YpZVPiKZyd/Su3oIkxmy06K /KM5yYpsUDypOVtgtjEQ== Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id aa16cc2b (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO); Wed, 31 Mar 2021 12:03:28 +0000 (UTC) Date: Wed, 31 Mar 2021 14:03:22 +0200 From: Michael Gmelin To: Christoph Moench-Tegeder Cc: freebsd-current@freebsd.org Subject: Re: Blacklisted certificates Message-ID: <20210331140322.07a3e650@bsd64.grem.de> In-Reply-To: References: X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}> +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+ xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4F9Q2L1GJWz3Fnh X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=grem.de header.s=20180501 header.b=YlINdZyn; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@grem.de designates 213.239.217.29 as permitted sender) smtp.mailfrom=freebsd@grem.de X-Spamd-Result: default: False [-3.43 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[grem.de:s=20180501]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:213.239.217.29/32]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grem.de]; SPAMHAUS_ZRD(0.00)[213.239.217.29:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[grem.de:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.93)[-0.929]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[213.239.217.29:from]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2021 12:03:39 -0000 On Wed, 31 Mar 2021 13:02:21 +0200 Christoph Moench-Tegeder wrote: > ## Jochen Neumeister (joneum@FreeBSD.org): > > > Why are this certificates blacklisted? > > Various reasons: > - Symantec (which owned Thawte and VeriSign back in the time) made > the news in a bad way: > https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ > - some certificates are simply expired > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is > beyond deprecated The hashing algorithm (SHA-1) doesn't matter in case of trusted root CAs though, as they're self-signed anyway - you trust the certificate and not the signature in this case. Therefore, keeping them in for compatibility reasons can make sense to prevent people from having to maintain their own local trusted CA cert lists. Probably doesn't matter so much in this specific case, but I remember when security/ca_root_nss removed MD5 self-signed root CAs and the world of pain I was in as a result of that decision, as legitimate certificates that worked in all major browsers would be suddenly considered insecure by my servers. -m > - and basically "whatever Mozilla did", as the certificates are > imported from NSS. > > Regards, > Christoph > -- Michael Gmelin