Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired]
John Capo
jc at irbs.com
Sat Jun 6 15:31:08 UTC 2020
On Fri, June 5, 2020 11:08, Andrea Venturoli wrote:
> On 2020-06-01 00:16, Garance A Drosehn wrote:
>
>
>> There is a cert from AddTrust which expired early on Saturday. I
>> believe it was the cert for certificate-authority named USERTrust RSA. This shouldn't have been a
>> problem, because there is a newer cert for that same CA which has not expired.
>>
>> I do not understand all the details, but apparently there is a bug in
>> versions of OpenSSL which are older than version 1.1. If the older (now-expired) cert is known
>> on some system, it is used instead of the newer cert. And therefore that cert, and every cert
>> which was generated by that CA is also considered invalid. This problem hit us at RPI on many
>> Redhat systems yesterday.
>>
>>
>> I also saw the problem in Mail.app on some of my older MacOS systems,
>> but Mail.app does not have this problem on MacOS catalina.
>
> I can see it too, on many sites.
>
>
> E.g.
> "openssl s_client -connect www.allmusic.com:https" passes verification
> on 12.1, but fails on 11.3.
>
> Deleting the expired certificate from /etc/ssl/cert.pem is enough to
> solve the problem.
>
> Is anyone looking into this?
> What is the official position/suggestion for those stuck on 11.x?
> Has at least a bug been reported?
>
This worked for me to fix curl on 11.3. Get the Mozilla cert bundle from here:
https://curl.haxx.se/ca/cacert.pem
Replace the AddTrust External Root cert in that bundle with a new one from here:
https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html
Save the existing /usr/local/share/certs/ca-root-nss.crt somewhere and replace it with the modified bundle.
John Capo
Tuffmail.com
More information about the freebsd-questions
mailing list