Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired]
Andrea Venturoli
ml at netfence.it
Mon Jun 8 09:47:55 UTC 2020
On 2020-06-06 17:31, John Capo wrote:
> This worked for me to fix curl on 11.3. Get the Mozilla cert bundle from here:
>
> https://curl.haxx.se/ca/cacert.pem
>
> Replace the AddTrust External Root cert in that bundle with a new one from here:
>
> https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html
>
> Save the existing /usr/local/share/certs/ca-root-nss.crt somewhere and replace it with the modified bundle.
Hello.
As I said, removing the cert was enough for me; I didn't even need to
add the updated one.
Of course this needs to be done on each host and each jail therein...
and repeated after every security/ca_root_nss update.
My question was: is the project planning to solve this? How?
Or are we all expected to do the work ourselves on our boxes?
I guess patching security/ca_root_nss would be a fast workaround, while
patching base openssl would be a lot more trouble.
Will 11.4 still have this bug?
bye & Thanks
av.
More information about the freebsd-questions
mailing list