expired Lets Encrypt CA and fetch
mike tancsa
mike at sentex.net
Fri Oct 1 13:23:55 UTC 2021
On 9/30/2021 9:14 PM, tech-lists wrote:
> Hi,
>
> On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote:
>
>> fails on releng11 and some RELENG_12, but not recent releng13. Does
>> anyone know whats going on and why its so inconsistent ? If I remove the
>> expired CA entry from the bundle, it works but I dont have to on all
>> clients ? Anyone know whats going on ?
>
> It fails for me on 12.2-p7 and 13.0-p4 and stable/13 as of a few days
> ago with fetch.
>
> I have no clue why your recent releng13 works. Maybe your fetch on
> there is linked to the ssl a browser would use?
Digging a bit further, it depends what the server sends and how the
client works. e.g. does the server send along both the expired
intermediary and not expired. Can an intermediary be trusted like a
root? etc.
The OpenBSD guys made a change that could break some applications, but I
am not sure what
https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig
I am guessing (not tested) something like this on RELENG_11 ? Note the
discussion at
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
--- crypto/openssl/crypto/x509/x509_vpm.c.prev 2021-10-01
09:16:51.753533000 -0400
+++ crypto/openssl/crypto/x509/x509_vpm.c 2021-10-01
09:19:39.708106000 -0400
@@ -537,7 +537,7 @@
"default", /* X509 default parameters */
0, /* Check time */
0, /* internal flags */
- 0, /* flags */
+ X509_V_FLAG_TRUSTED_FIRST, /* flags */
0, /* purpose */
0, /* trust */
100, /* depth */
---Mike
More information about the freebsd-questions
mailing list