From owner-freebsd-security@freebsd.org Fri Oct 1 22:51:13 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CDF986B7058 for ; Fri, 1 Oct 2021 22:51:13 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HLlhd07Hkz3Psh for ; Fri, 1 Oct 2021 22:51:12 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 191Mp5nc017168 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Oct 2021 15:51:05 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 191Mp4uq017167; Fri, 1 Oct 2021 15:51:04 -0700 (PDT) (envelope-from jmg) Date: Fri, 1 Oct 2021 15:51:04 -0700 From: John-Mark Gurney To: mike tancsa Cc: "freebsd-security@freebsd.org" Subject: Re: openssl patch for RELENG_11 to work around Lets Encrypt work around Message-ID: <20211001225104.GA74427@funkthat.com> Mail-Followup-To: mike tancsa , "freebsd-security@freebsd.org" References: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Fri, 01 Oct 2021 15:51:05 -0700 (PDT) X-Rspamd-Queue-Id: 4HLlhd07Hkz3Psh X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [0.19 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.987]; RCVD_TLS_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.98)[0.982]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2021 22:51:13 -0000 mike tancsa wrote this message on Fri, Oct 01, 2021 at 10:31 -0400: > I was hoping people with expertise on this issue could chime in about > the implications of running with this patch on FreeBSD 11 which I know > is now out of support. > > This patch is inspired from > > https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig > with caveats from > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > --- crypto/openssl/crypto/x509/x509_vpm.c.prev  2021-10-01 > 09:16:51.753533000 -0400 > +++ crypto/openssl/crypto/x509/x509_vpm.c       2021-10-01 > 09:19:39.708106000 -0400 > @@ -537,7 +537,7 @@ >       "default",                 /* X509 default parameters */ >       0,                         /* Check time */ >       0,                         /* internal flags */ > -     0,                         /* flags */ > +     X509_V_FLAG_TRUSTED_FIRST, /* flags */ >       0,                         /* purpose */ >       0,                         /* trust */ >       100,                       /* depth */ > > > Am I opening myself up to more issues by doing this ? This is however the default on RELENG_12 and above. I don't think there is any issues with that patch, but I'd recommend you just do workaround 1 in the second link, that is, remove the expired DST X3 cert, and make sure the new ISRG X1 cert is present. Either way, hosts have to be updated to support it, and this method can be done via an update to the ca_root_nss package which is less invasive than the above patch. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."