Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 01 Oct 2021 10:00:06 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 258834] security/ca_root_nss: request to remove outdated "DST Root CA X3" cert b/c of collateral damage
Message-ID:  <bug-258834-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258834

            Bug ID: 258834
           Summary: security/ca_root_nss: request to remove outdated "DST
                    Root CA X3" cert b/c of collateral damage
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: tphilipp@potion-studios.com
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)
          Assignee: ports-secteam@FreeBSD.org

Hello,

since yesterday, the "DST Root CA X3"
(44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b) cert expired, and although
that's in theory not a big deal and normal, it seems to cause problems for
different applications. E.g. unbound fails to verify certs of DoT servers t=
hat
use LE certificates. Removing that cert from the bundle fixes the issue. I
think in unbound's case, it is misled in following the wrong chain, so remo=
ving
this cert results in a working verification using the certs it actually is
supposed to look at... dunno, sorry for not having analyzed this further.

This is not the ca_root_nss pkgs fault from what I understand, but rather b=
ugs
in different applications, so sorry for opening this PR about ca_root_nss -
however, it's safe to remove the outdated cert, and it'll fix implicitly ot=
her
stacks. Other vendors seem to have followed the same approach, e.g. Apple.

more info:
https://old.reddit.com/r/sysadmin/comments/pyzb6s/did_the_lets_encrypt_dst_=
ca_x3_root_certificate/
https://forum.opnsense.org/index.php?PHPSESSID=3D0fu9b0q69p7l53agatlc4b0lgk=
&topic=3D24950.0

note: there was a release for v3.71, also, yesterday, maybe upstream removed
this themselves

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-258834-7788>