Blacklisted certificates
Ronald Klop
ronald-lists at klop.ws
Sun Apr 4 10:25:29 UTC 2021
On 3/31/21 4:19 PM, Jochen Neumeister wrote:
>
> Am 31.03.21 um 14:24 schrieb Ronald Klop:
>>
>> Van: Jochen Neumeister <joneum at FreeBSD.org>
>> Datum: woensdag, 31 maart 2021 13:26
>> Aan: Christoph Moench-Tegeder <cmt at burggraben.net>,
>> freebsd-current at freebsd.org
>> Onderwerp: Re: Blacklisted certificates
>>>
>>>
>>> Am 31.03.21 um 13:02 schrieb Christoph Moench-Tegeder:
>>> > ## Jochen Neumeister (joneum at FreeBSD.org):
>>> >
>>> >> Why are this certificates blacklisted?
>>> > Various reasons:
>>> > - Symantec (which owned Thawte and VeriSign back in the time) made
>>> > the news in a bad way:
>>> >
>>> https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/
>>>
>>> > - some certificates are simply expired
>>> > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is
>>> > beyond deprecated
>>> > - and basically "whatever Mozilla did", as the certificates are
>>> > imported from NSS.
>>>
>>> how can I ignore the certificates now? So now everyone has this
>>> problem with an update
>>>
>>>
>>> Greetings
>>> Jochen
>>>
>>> _______________________________________________
>>> freebsd-current at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>>> To unsubscribe, send any mail to
>>> "freebsd-current-unsubscribe at freebsd.org"
>>>
>>>
>>>
>>
>> Hi,
>>
>> This is the proper output of installworld. So you don't have to ignore
>> anything anymore. It is handled by installworld.
>>
>
> in the next step etcupdate has another problem. I have to delete the
> blacklist certificates manually.
>
> #cd /usr/src && etcupdate
> Conflicts remain from previous update, aborting.
>
>
> Greetings
> Jochen
>
>
I'd guess you need to run "etcupdate resolve". What is the output of
"etcupdate status"?
Regards,
Ronald.
More information about the freebsd-current
mailing list