Date: Sat, 6 Jun 2020 11:31:01 -0400 (EDT) From: "John Capo" <jc@irbs.com> To: "Andrea Venturoli" <ml@netfence.it> Cc: freebsd-questions@freebsd.org Subject: Re: Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired] Message-ID: <59211.198.205.123.4.1591457461.squirrel@squirrelmail.mxes.net> In-Reply-To: <247ae2fd-a7e8-146b-be43-47ca247cca10@netfence.it> References: <5e1a71cd-6837-47f1-b485-c583550db48a@unixarea.de> <E8FACC8D-7BE7-4A59-ACE1-65CAFFD24715@rpi.edu> <247ae2fd-a7e8-146b-be43-47ca247cca10@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, June 5, 2020 11:08, Andrea Venturoli wrote: > On 2020-06-01 00:16, Garance A Drosehn wrote: > > >> There is a cert from AddTrust which expired early on Saturday. I >> believe it was the cert for certificate-authority named USERTrust RSA.= This shouldn't have been a >> problem, because there is a newer cert for that same CA which has not = expired. >> >> I do not understand all the details, but apparently there is a bug in >> versions of OpenSSL which are older than version 1.1. If the older (n= ow-expired) cert is known >> on some system, it is used instead of the newer cert. And therefore t= hat cert, and every cert >> which was generated by that CA is also considered invalid. This probl= em hit us at RPI on many >> Redhat systems yesterday. >> >> >> I also saw the problem in Mail.app on some of my older MacOS systems, >> but Mail.app does not have this problem on MacOS catalina. > > I can see it too, on many sites. > > > E.g. > "openssl s_client -connect www.allmusic.com:https" passes verification > on 12.1, but fails on 11.3. > > Deleting the expired certificate from /etc/ssl/cert.pem is enough to > solve the problem. > > Is anyone looking into this? > What is the official position/suggestion for those stuck on 11.x? > Has at least a bug been reported? > This worked for me to fix curl on 11.3. Get the Mozilla cert bundle from= here: https://curl.haxx.se/ca/cacert.pem Replace the AddTrust External Root cert in that bundle with a new one fro= m here: https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificat= ionAuthority.html Save the existing /usr/local/share/certs/ca-root-nss.crt somewhere and re= place it with the modified bundle. John Capo Tuffmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59211.198.205.123.4.1591457461.squirrel>