From nobody Wed Oct 20 15:13:33 2021
X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3281D1815864
	for <ports-bugs@mlmmj.nyi.freebsd.org>; Wed, 20 Oct 2021 15:13:33 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HZDdn0mPmz3lLD
	for <ports-bugs@FreeBSD.org>; Wed, 20 Oct 2021 15:13:33 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EFCA51E0B
	for <ports-bugs@FreeBSD.org>; Wed, 20 Oct 2021 15:13:32 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 19KFDWgl062292
	for <ports-bugs@FreeBSD.org>; Wed, 20 Oct 2021 15:13:32 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 19KFDWfv062291
	for ports-bugs@FreeBSD.org; Wed, 20 Oct 2021 15:13:32 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: ports-bugs@FreeBSD.org
Subject: [Bug 259314] security/ca_root_nss: still including expired let's
 encrypt certificate causing issues
Date: Wed, 20 Oct 2021 15:13:33 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: missoline@protonmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: ports-secteam@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 flagtypes.name
Message-ID: <bug-259314-7788@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs
List-Help: <mailto:ports-bugs+help@freebsd.org>
List-Post: <mailto:ports-bugs@freebsd.org>
List-Subscribe: <mailto:ports-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:ports-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-ports-bugs@freebsd.org
X-BeenThere: freebsd-ports-bugs@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259314

            Bug ID: 259314
           Summary: security/ca_root_nss: still including expired let's
                    encrypt certificate causing issues
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: missoline@protonmail.com
          Assignee: ports-secteam@FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)

Hello,

Do we know when security/ca_root_nss will simply remove the expired certifi=
cate
DST Root CA X3 from their bundle?

We're running FreeBSD 12.2 and are using a software stack being exposed to =
this
bug in openssl [1] which is also documented by the guys at TrueNas [2] (bec=
ause
the technology we rely on maintains its own old fork of openssl). Basically,
because of this bug in openssl if the expired certificate is present in the
trust store, the expired cert is picked instead of the new one, which of co=
urse
results in a TLS authentication failure. So apps cannot connect to websites=
 and
APIs using a let's encrypt certificate... (which represents many endpoints
these days).

We're going to keep removing the cert manually for time being but this is n=
ot a
sustainable solution I'm afraid, it'd be much better if upstream just remov=
ed
it. How fast are expired certs usually removed from the bundle?

[1]: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
[2]:
https://www.truenas.com/community/threads/ssl-certificate-problem-certifica=
te-has-expired-the-openssl-1-0-2-vs-letsencrypt-issue.95874/

--=20
You are receiving this mail because:
You are the assignee for the bug.=