From owner-freebsd-questions@freebsd.org Fri Oct 1 14:24:48 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D9B766B024D for ; Fri, 1 Oct 2021 14:24:48 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HLXSH672kz4W5F for ; Fri, 1 Oct 2021 14:24:47 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 191EOk55004350 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 1 Oct 2021 10:24:47 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 191EOkQO043885 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Fri, 1 Oct 2021 10:24:46 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: expired Lets Encrypt CA and fetch From: mike tancsa To: freebsd-questions@freebsd.org References: <0a181938-ca91-4e79-19b3-f774b854a600@sentex.net> Message-ID: <10ff4d55-9889-9b79-d89a-2a0bca19f648@sentex.net> Date: Fri, 1 Oct 2021 10:24:47 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <0a181938-ca91-4e79-19b3-f774b854a600@sentex.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4HLXSH672kz4W5F X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-3.28 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[sentex.net]; NEURAL_HAM_SHORT(-0.98)[-0.984]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2021 14:24:48 -0000 On 10/1/2021 9:23 AM, mike tancsa wrote: > On 9/30/2021 9:14 PM, tech-lists wrote: >> Hi, >> >> On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote: >> >>> fails on releng11 and some RELENG_12, but not recent releng13.  Does >>> anyone know whats going on and why its so inconsistent ? If I remove the >>> expired CA entry from the bundle, it works but I dont have to on all >>> clients ? Anyone know whats going on ? >> It fails for me on 12.2-p7 and 13.0-p4 and stable/13 as of a few days >> ago with fetch. >> >> I have no clue why your recent releng13 works. Maybe your fetch on >> there is linked to the ssl a browser would use? > Digging a bit further, it depends what the server sends and how the > client works. e.g. does the server send along both the expired > intermediary and not expired. Can an intermediary be trusted like a > root? etc. > > The OpenBSD guys made a change that could break some applications, but I > am not sure what > > https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig > > > I am guessing (not tested) something like this on RELENG_11 ?  Note the > discussion at > > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > --- crypto/openssl/crypto/x509/x509_vpm.c.prev  2021-10-01 > 09:16:51.753533000 -0400 > +++ crypto/openssl/crypto/x509/x509_vpm.c       2021-10-01 > 09:19:39.708106000 -0400 > @@ -537,7 +537,7 @@ >       "default",                 /* X509 default parameters */ >       0,                         /* Check time */ >       0,                         /* internal flags */ > -     0,                         /* flags */ > +     X509_V_FLAG_TRUSTED_FIRST, /* flags */ >       0,                         /* purpose */ >       0,                         /* trust */ >       100,                       /* depth */ > > >     ---Mike This does seem to work.  If I patch the file then cd /usr/src/secure make depend make make install fetch on RELENG_11 no longer complains.  Whether or not I am doing some massive foot shooting, I am not sure. I think I will ask on freebsd-security     ---Mike > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >