Date: Fri, 01 Oct 2021 10:00:06 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 258834] security/ca_root_nss: request to remove outdated "DST Root CA X3" cert b/c of collateral damage Message-ID: <bug-258834-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258834 Bug ID: 258834 Summary: security/ca_root_nss: request to remove outdated "DST Root CA X3" cert b/c of collateral damage Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: tphilipp@potion-studios.com Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Assignee: ports-secteam@FreeBSD.org Hello, since yesterday, the "DST Root CA X3" (44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b) cert expired, and although that's in theory not a big deal and normal, it seems to cause problems for different applications. E.g. unbound fails to verify certs of DoT servers t= hat use LE certificates. Removing that cert from the bundle fixes the issue. I think in unbound's case, it is misled in following the wrong chain, so remo= ving this cert results in a working verification using the certs it actually is supposed to look at... dunno, sorry for not having analyzed this further. This is not the ca_root_nss pkgs fault from what I understand, but rather b= ugs in different applications, so sorry for opening this PR about ca_root_nss - however, it's safe to remove the outdated cert, and it'll fix implicitly ot= her stacks. Other vendors seem to have followed the same approach, e.g. Apple. more info: https://old.reddit.com/r/sysadmin/comments/pyzb6s/did_the_lets_encrypt_dst_= ca_x3_root_certificate/ https://forum.opnsense.org/index.php?PHPSESSID=3D0fu9b0q69p7l53agatlc4b0lgk= &topic=3D24950.0 note: there was a release for v3.71, also, yesterday, maybe upstream removed this themselves --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-258834-7788>