Date: Fri, 01 Oct 2021 10:00:06 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258834 Bug ID: 258834 Summary: security/ca_root_nss: request to remove outdated "DST Root CA X3" cert b/c of collateral damage Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: firstname.lastname@example.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Assignee: ports-secteam@FreeBSD.org Hello, since yesterday, the "DST Root CA X3" (44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b) cert expired, and although that's in theory not a big deal and normal, it seems to cause problems for different applications. E.g. unbound fails to verify certs of DoT servers that use LE certificates. Removing that cert from the bundle fixes the issue. I think in unbound's case, it is misled in following the wrong chain, so removing this cert results in a working verification using the certs it actually is supposed to look at... dunno, sorry for not having analyzed this further. This is not the ca_root_nss pkgs fault from what I understand, but rather bugs in different applications, so sorry for opening this PR about ca_root_nss - however, it's safe to remove the outdated cert, and it'll fix implicitly other stacks. Other vendors seem to have followed the same approach, e.g. Apple. more info: https://old.reddit.com/r/sysadmin/comments/pyzb6s/did_the_lets_encrypt_dst_ca_x3_root_certificate/ https://forum.opnsense.org/index.php?PHPSESSID=0fu9b0q69p7l53agatlc4b0lgk&topic=24950.0 note: there was a release for v3.71, also, yesterday, maybe upstream removed this themselves -- You are receiving this mail because: You are the assignee for the bug.