expired Lets Encrypt CA and fetch
mike tancsa
mike at sentex.net
Fri Oct 1 14:24:48 UTC 2021
On 10/1/2021 9:23 AM, mike tancsa wrote:
> On 9/30/2021 9:14 PM, tech-lists wrote:
>> Hi,
>>
>> On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote:
>>
>>> fails on releng11 and some RELENG_12, but not recent releng13. Does
>>> anyone know whats going on and why its so inconsistent ? If I remove the
>>> expired CA entry from the bundle, it works but I dont have to on all
>>> clients ? Anyone know whats going on ?
>> It fails for me on 12.2-p7 and 13.0-p4 and stable/13 as of a few days
>> ago with fetch.
>>
>> I have no clue why your recent releng13 works. Maybe your fetch on
>> there is linked to the ssl a browser would use?
> Digging a bit further, it depends what the server sends and how the
> client works. e.g. does the server send along both the expired
> intermediary and not expired. Can an intermediary be trusted like a
> root? etc.
>
> The OpenBSD guys made a change that could break some applications, but I
> am not sure what
>
> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig
>
>
> I am guessing (not tested) something like this on RELENG_11 ? Note the
> discussion at
>
> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>
> --- crypto/openssl/crypto/x509/x509_vpm.c.prev 2021-10-01
> 09:16:51.753533000 -0400
> +++ crypto/openssl/crypto/x509/x509_vpm.c 2021-10-01
> 09:19:39.708106000 -0400
> @@ -537,7 +537,7 @@
> "default", /* X509 default parameters */
> 0, /* Check time */
> 0, /* internal flags */
> - 0, /* flags */
> + X509_V_FLAG_TRUSTED_FIRST, /* flags */
> 0, /* purpose */
> 0, /* trust */
> 100, /* depth */
>
>
> ---Mike
This does seem to work. If I patch the file then
cd /usr/src/secure
make depend
make
make install
fetch on RELENG_11 no longer complains. Whether or not I am doing some
massive foot shooting, I am not sure. I think I will ask on freebsd-security
---Mike
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list