Date: Wed, 31 Mar 2021 11:37:54 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 254676] Certificate blacklisted on CURRENT Message-ID: <bug-254676-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D254676 Bug ID: 254676 Summary: Certificate blacklisted on CURRENT Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: joneum@FreeBSD.org >>> Installing everything completed on Wed Mar 31 11:45:55 CEST 2021 -------------------------------------------------------------- Scanning /usr/share/certs/blacklisted for certificates... Scanning /usr/share/certs/trusted for certificates... Skipping blacklisted certificate /usr/share/certs/trusted/AddTrust_External_Root.pem (/etc/ssl/blacklisted/157753a5.0) Skipping blacklisted certificate /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem (/etc/ssl/blacklisted/861a399d.0) Skipping blacklisted certificate /usr/share/certs/trusted/EE_Certification_Centre_Root_CA.pem (/etc/ssl/blacklisted/128805a3.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Global_CA.pem (/etc/ssl/blacklisted/2c543cd1.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem (/etc/ssl/blacklisted/480720ec.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem (/etc/ssl/blacklisted/e2799e36.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Universal_CA.pem (/etc/ssl/blacklisted/ad088e1d.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem (/etc/ssl/blacklisted/8867006a.0) Skipping blacklisted certificate /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem (/etc/ssl/blacklisted/def36a68.0) Skipping blacklisted certificate /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem (/etc/ssl/blacklisted/5c44d531.0) Skipping blacklisted certificate /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Auth= ority_-_G4.pem (/etc/ssl/blacklisted/62744ee1.0) Skipping blacklisted certificate /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Auth= ority_-_G4.pem (/etc/ssl/blacklisted/4d4ba017.0) Skipping blacklisted certificate /usr/share/certs/trusted/Taiwan_GRCA.pem (/etc/ssl/blacklisted/6410666e.0) Skipping blacklisted certificate /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Auth= ority_-_G4.pem (/etc/ssl/blacklisted/7d0b38bd.0) Skipping blacklisted certificate /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Auth= ority_-_G5.pem (/etc/ssl/blacklisted/b204d74a.0) Skipping blacklisted certificate /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Auth= ority_-_G3.pem (/etc/ssl/blacklisted/c0ff1f52.0) Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA.pem (/etc/ssl/blacklisted/2e4eed3c.0) Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem (/etc/ssl/blacklisted/c089bbbd.0) Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem (/etc/ssl/blacklisted/ba89ed3b.0) Scanning /usr/local/share/certs for certificates... root@joneumbox:/usr/src # uname -a FreeBSD joneumbox.org 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-51cc31088: = Tue Mar 30 16:52:21 CEST 2021=20=20=20=20 root@joneumbox.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG amd64 cmt give this news about this error on the ML: https://lists.freebsd.org/pipermail/freebsd-current/2021-March/079317.html Various reasons: - Symantec (which owned Thawte and VeriSign back in the time) made the news in a bad way: https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ - some certificates are simply expired - some certificates use SHA-1 ("sha1WithRSAEncryption") which is beyond deprecated - and basically "whatever Mozilla did", as the certificates are imported from NSS. How can we proceed here to solve the problem? Can the certificates simply be deleted from /usr/share/certs/trusted/*? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-254676-227>