Date: Thu, 06 Jul 2017 12:52:31 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 220511] [PATCH] security/ca_root_nss: Add port option to remove duplicate certs based on Subject Message-ID: <bug-220511-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220511 Bug ID: 220511 Summary: [PATCH] security/ca_root_nss: Add port option to remove duplicate certs based on Subject Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: jim+freebsd@pirzyk.org Keywords: patch Assignee: ports-secteam@FreeBSD.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Created attachment 184124 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D184124&action= =3Dedit Patch to add make option The current ca_root_nss package will bundle up certificates based on their Subject and Serial, this works well for most packages but it does present a problem for OpenVPN. OpenVPN insists only on unique Subjects, see https://forums.freebsd.org/threads/60254/ Currently StartSSL has two certs in ca_root_nss, Serial 0 and 45. They represent SHA1 and SHA256. The attached patch will use Serial 45 cert and ignore the SHA1 cert (based on larger Serial Numbers). Ideally the solution is to get OpenVPN to properly handle multiple CAs with= the same Subject line (using the Serial) but until then, this is plausable workaround. This option is not on by default. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-220511-13>