Date: Fri, 1 Oct 2021 10:24:47 -0400 From: mike tancsa <mike@sentex.net> To: freebsd-questions@freebsd.org Subject: Re: expired Lets Encrypt CA and fetch Message-ID: <10ff4d55-9889-9b79-d89a-2a0bca19f648@sentex.net> In-Reply-To: <0a181938-ca91-4e79-19b3-f774b854a600@sentex.net> References: <b5400e1d-acde-3ca4-f244-d935df9544ab@sentex.net> <YVZhD3obEBAl5Gsz@ceres.zyxst.net> <0a181938-ca91-4e79-19b3-f774b854a600@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/1/2021 9:23 AM, mike tancsa wrote: > On 9/30/2021 9:14 PM, tech-lists wrote: >> Hi, >> >> On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote: >> >>> fails on releng11 and some RELENG_12, but not recent releng13. Does >>> anyone know whats going on and why its so inconsistent ? If I remove the >>> expired CA entry from the bundle, it works but I dont have to on all >>> clients ? Anyone know whats going on ? >> It fails for me on 12.2-p7 and 13.0-p4 and stable/13 as of a few days >> ago with fetch. >> >> I have no clue why your recent releng13 works. Maybe your fetch on >> there is linked to the ssl a browser would use? > Digging a bit further, it depends what the server sends and how the > client works. e.g. does the server send along both the expired > intermediary and not expired. Can an intermediary be trusted like a > root? etc. > > The OpenBSD guys made a change that could break some applications, but I > am not sure what > > https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig > > > I am guessing (not tested) something like this on RELENG_11 ? Note the > discussion at > > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > --- crypto/openssl/crypto/x509/x509_vpm.c.prev 2021-10-01 > 09:16:51.753533000 -0400 > +++ crypto/openssl/crypto/x509/x509_vpm.c 2021-10-01 > 09:19:39.708106000 -0400 > @@ -537,7 +537,7 @@ > "default", /* X509 default parameters */ > 0, /* Check time */ > 0, /* internal flags */ > - 0, /* flags */ > + X509_V_FLAG_TRUSTED_FIRST, /* flags */ > 0, /* purpose */ > 0, /* trust */ > 100, /* depth */ > > > ---Mike This does seem to work. If I patch the file then cd /usr/src/secure make depend make make install fetch on RELENG_11 no longer complains. Whether or not I am doing some massive foot shooting, I am not sure. I think I will ask on freebsd-security ---Mike > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10ff4d55-9889-9b79-d89a-2a0bca19f648>