From owner-freebsd-current@freebsd.org Wed Mar 31 14:19:52 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A4C275795C5 for ; Wed, 31 Mar 2021 14:19:52 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from toco-domains.de (mail.toco-domains.de [176.9.100.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F9T3X3hr5z3Pw4 for ; Wed, 31 Mar 2021 14:19:52 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: by toco-domains.de (Postfix, from userid 65534) id DFA86CAA0F; Wed, 31 Mar 2021 16:19:49 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on toco-mail X-Spam-Level: X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,BAYES_00, NICE_REPLY_A,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.4 Received: from Jochens-MacBook-Pro.local (ip-178-202-191-19.hsi09.unitymediagroup.de [178.202.191.19]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by toco-domains.de (Postfix) with ESMTPSA id 48669CAA03; Wed, 31 Mar 2021 16:19:46 +0200 (CEST) Subject: Re: Blacklisted certificates To: Ronald Klop Cc: freebsd-current@freebsd.org, Christoph Moench-Tegeder References: <1503521615.53.1617193492486@localhost> From: Jochen Neumeister Message-ID: <07e40f43-18e7-f467-34d6-ec977b7de544@FreeBSD.org> Date: Wed, 31 Mar 2021 16:19:44 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: <1503521615.53.1617193492486@localhost> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: de-DE X-Rspamd-Queue-Id: 4F9T3X3hr5z3Pw4 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2021 14:19:52 -0000 Am 31.03.21 um 14:24 schrieb Ronald Klop: > > Van: Jochen Neumeister > Datum: woensdag, 31 maart 2021 13:26 > Aan: Christoph Moench-Tegeder , > freebsd-current@freebsd.org > Onderwerp: Re: Blacklisted certificates >> >> >> Am 31.03.21 um 13:02 schrieb Christoph Moench-Tegeder: >> > ## Jochen Neumeister (joneum@FreeBSD.org): >> > >> >> Why are this certificates blacklisted? >> > Various reasons: >> > - Symantec (which owned Thawte and VeriSign back in the time) made >> >    the news in a bad way: >> > >> https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ >> > - some certificates are simply expired >> > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is >> >    beyond deprecated >> > - and basically "whatever Mozilla did", as the certificates are >> >    imported from NSS. >> >> how can I ignore the certificates now? So now everyone has this >> problem with an update >> >> >> Greetings >> Jochen >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to >> "freebsd-current-unsubscribe@freebsd.org" >> >> >> > > Hi, > > This is the proper output of installworld. So you don't have to ignore > anything anymore. It is handled by installworld. > in the next step etcupdate has another problem. I have to delete the blacklist certificates manually. #cd /usr/src && etcupdate Conflicts remain from previous update, aborting. Greetings Jochen