From nobody Wed Dec  7 21:06:06 2022
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NS8w56nH7z4jqhw
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Wed,  7 Dec 2022 21:06:13 +0000 (UTC)
	(envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
	(using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NS8w51ql9z3q5W
	for <freebsd-security@freebsd.org>; Wed,  7 Dec 2022 21:06:13 +0000 (UTC)
	(envelope-from marquis@roble.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=roble.com header.s=rs060402 header.b=IOWphMAs;
	spf=pass (mx1.freebsd.org: domain of marquis@roble.com designates 209.237.23.5 as permitted sender) smtp.mailfrom=marquis@roble.com;
	dmarc=pass (policy=none) header.from=roble.com
Received: from roble.com (roble.com [209.237.23.50])
	by mx5.roble.com (Postfix) with ESMTP id 5067F72C62
	for <freebsd-security@freebsd.org>; Wed,  7 Dec 2022 13:06:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roble.com;
	s=rs060402; t=1670447166;
	bh=qG1drqybmLO1QyZ5KWapvW61zQCjxK2NYFW16h/8aCA=;
	h=Date:From:To:Subject;
	b=IOWphMAsG4BtJqz2nlWrRa9mtstMvS+T6Oaall+IL6KHyy9qzzEqksb3p0F7522Dv
	 Jx5Wh2yLhw0uYmdtzAEGjbnabQ2AuKGU/acDM2i2CkOMw/m1FXK796mr6XIcaUtw2W
	 Wjs32HYrcDn1cIekJAAWu1Ex9+6BLbJBx80/wgys=
Date: Wed, 7 Dec 2022 13:06:06 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
Subject: Re: CA's TLS Certificate Bundle in base = BAD
Message-ID: <4n4804p0-n4nr-1q6s-5842-69qr287rqrq5@mx.roble.com>
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Spamd-Result: default: False [-2.99 / 15.00];
	FAKE_REPLY(1.00)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.985];
	DMARC_POLICY_ALLOW(-0.50)[roble.com,none];
	R_SPF_ALLOW(-0.20)[+ip4:209.237.23.0/24];
	R_DKIM_ALLOW(-0.20)[roble.com:s=rs060402];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_TLS_LAST(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	DKIM_TRACE(0.00)[roble.com:+];
	RCPT_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	TO_DN_NONE(0.00)[];
	RCVD_COUNT_TWO(0.00)[2]
X-Rspamd-Queue-Id: 4NS8w51ql9z3q5W
X-Spamd-Bar: --
X-ThisMailContainsUnwantedMimeParts: N

After running a 12.4 installworld found TrustCor certs had been
reinstalled.  Out of curiosity, were these known bad certificates
intentionally left in RELEASE?  If so it does appear we could use a
ports-based solution.  At this point all the port would need to do is
periodically "rm /usr/share/certs/trusted/TrustCor*" but there's sure to
be room for options to better harden PKI.

Roger Marquis