Date: Wed, 20 Oct 2021 15:13:33 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 259314] security/ca_root_nss: still including expired let's encrypt certificate causing issues Message-ID: <bug-259314-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259314 Bug ID: 259314 Summary: security/ca_root_nss: still including expired let's encrypt certificate causing issues Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: missoline@protonmail.com Assignee: ports-secteam@FreeBSD.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Hello, Do we know when security/ca_root_nss will simply remove the expired certifi= cate DST Root CA X3 from their bundle? We're running FreeBSD 12.2 and are using a software stack being exposed to = this bug in openssl [1] which is also documented by the guys at TrueNas [2] (bec= ause the technology we rely on maintains its own old fork of openssl). Basically, because of this bug in openssl if the expired certificate is present in the trust store, the expired cert is picked instead of the new one, which of co= urse results in a TLS authentication failure. So apps cannot connect to websites= and APIs using a let's encrypt certificate... (which represents many endpoints these days). We're going to keep removing the cert manually for time being but this is n= ot a sustainable solution I'm afraid, it'd be much better if upstream just remov= ed it. How fast are expired certs usually removed from the bundle? [1]: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ [2]: https://www.truenas.com/community/threads/ssl-certificate-problem-certifica= te-has-expired-the-openssl-1-0-2-vs-letsencrypt-issue.95874/ --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259314-7788>