Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 31 Mar 2021 11:37:54 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 254676] Certificate blacklisted on CURRENT
Message-ID:  <bug-254676-227@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254676

            Bug ID: 254676
           Summary: Certificate blacklisted on CURRENT
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: joneum@FreeBSD.org

>>> Installing everything completed on Wed Mar 31 11:45:55 CEST 2021
--------------------------------------------------------------
Scanning /usr/share/certs/blacklisted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Skipping blacklisted certificate
/usr/share/certs/trusted/AddTrust_External_Root.pem
(/etc/ssl/blacklisted/157753a5.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem
(/etc/ssl/blacklisted/861a399d.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/EE_Certification_Centre_Root_CA.pem
(/etc/ssl/blacklisted/128805a3.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/GeoTrust_Global_CA.pem
(/etc/ssl/blacklisted/2c543cd1.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem
(/etc/ssl/blacklisted/480720ec.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
(/etc/ssl/blacklisted/e2799e36.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/GeoTrust_Universal_CA.pem
(/etc/ssl/blacklisted/ad088e1d.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem
(/etc/ssl/blacklisted/8867006a.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/LuxTrust_Global_Root_2.pem
(/etc/ssl/blacklisted/def36a68.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
(/etc/ssl/blacklisted/5c44d531.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Auth=
ority_-_G4.pem
(/etc/ssl/blacklisted/62744ee1.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Auth=
ority_-_G4.pem
(/etc/ssl/blacklisted/4d4ba017.0)
Skipping blacklisted certificate /usr/share/certs/trusted/Taiwan_GRCA.pem
(/etc/ssl/blacklisted/6410666e.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Auth=
ority_-_G4.pem
(/etc/ssl/blacklisted/7d0b38bd.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Auth=
ority_-_G5.pem
(/etc/ssl/blacklisted/b204d74a.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Auth=
ority_-_G3.pem
(/etc/ssl/blacklisted/c0ff1f52.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/thawte_Primary_Root_CA.pem
(/etc/ssl/blacklisted/2e4eed3c.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem
(/etc/ssl/blacklisted/c089bbbd.0)
Skipping blacklisted certificate
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem
(/etc/ssl/blacklisted/ba89ed3b.0)
Scanning /usr/local/share/certs for certificates...
root@joneumbox:/usr/src # uname -a
FreeBSD joneumbox.org 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-51cc31088: =
Tue
Mar 30 16:52:21 CEST 2021=20=20=20=20
root@joneumbox.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG  amd64


cmt give this news about this error on the ML:
https://lists.freebsd.org/pipermail/freebsd-current/2021-March/079317.html

Various reasons:
- Symantec (which owned Thawte and VeriSign back in the time) made
  the news in a bad way:
  https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/
- some certificates are simply expired
- some certificates use SHA-1 ("sha1WithRSAEncryption") which is
  beyond deprecated
- and basically "whatever Mozilla did", as the certificates are
  imported from NSS.


How can we proceed here to solve the problem? Can the certificates simply be
deleted from /usr/share/certs/trusted/*?

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254676-227>