Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired]

Andrea Venturoli ml at netfence.it
Mon Jun 8 09:47:55 UTC 2020


On 2020-06-06 17:31, John Capo wrote:

> This worked for me to fix curl on 11.3.  Get the Mozilla cert bundle from here:
> 
>    https://curl.haxx.se/ca/cacert.pem
> 
> Replace the AddTrust External Root cert in that bundle with a new one from here:
> 
>    https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html
> 
> Save the existing /usr/local/share/certs/ca-root-nss.crt somewhere and replace it with the modified bundle.

Hello.

As I said, removing the cert was enough for me; I didn't even need to 
add the updated one.
Of course this needs to be done on each host and each jail therein... 
and repeated after every security/ca_root_nss update.



My question was: is the project planning to solve this? How?
Or are we all expected to do the work ourselves on our boxes?



I guess patching security/ca_root_nss would be a fast workaround, while 
patching base openssl would be a lot more trouble.

Will 11.4 still have this bug?


  bye & Thanks
	av.


More information about the freebsd-questions mailing list