Openssl on 11.x and expired certificates [was: IMAP && Server certificate has expired]

Andrea Venturoli ml at
Mon Jun 8 09:47:55 UTC 2020

On 2020-06-06 17:31, John Capo wrote:

> This worked for me to fix curl on 11.3.  Get the Mozilla cert bundle from here:
> Replace the AddTrust External Root cert in that bundle with a new one from here:
> Save the existing /usr/local/share/certs/ca-root-nss.crt somewhere and replace it with the modified bundle.


As I said, removing the cert was enough for me; I didn't even need to 
add the updated one.
Of course this needs to be done on each host and each jail therein... 
and repeated after every security/ca_root_nss update.

My question was: is the project planning to solve this? How?
Or are we all expected to do the work ourselves on our boxes?

I guess patching security/ca_root_nss would be a fast workaround, while 
patching base openssl would be a lot more trouble.

Will 11.4 still have this bug?

  bye & Thanks

More information about the freebsd-questions mailing list