expired Lets Encrypt CA and fetch

mike tancsa mike at sentex.net
Fri Oct 1 14:24:48 UTC 2021


On 10/1/2021 9:23 AM, mike tancsa wrote:
> On 9/30/2021 9:14 PM, tech-lists wrote:
>> Hi,
>>
>> On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote:
>>
>>> fails on releng11 and some RELENG_12, but not recent releng13.  Does
>>> anyone know whats going on and why its so inconsistent ? If I remove the
>>> expired CA entry from the bundle, it works but I dont have to on all
>>> clients ? Anyone know whats going on ?
>> It fails for me on 12.2-p7 and 13.0-p4 and stable/13 as of a few days
>> ago with fetch.
>>
>> I have no clue why your recent releng13 works. Maybe your fetch on
>> there is linked to the ssl a browser would use? 
> Digging a bit further, it depends what the server sends and how the
> client works. e.g. does the server send along both the expired
> intermediary and not expired. Can an intermediary be trusted like a
> root? etc.
>
> The OpenBSD guys made a change that could break some applications, but I
> am not sure what
>
> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig
>
>
> I am guessing (not tested) something like this on RELENG_11 ?  Note the
> discussion at
>
> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>
> --- crypto/openssl/crypto/x509/x509_vpm.c.prev  2021-10-01
> 09:16:51.753533000 -0400
> +++ crypto/openssl/crypto/x509/x509_vpm.c       2021-10-01
> 09:19:39.708106000 -0400
> @@ -537,7 +537,7 @@
>       "default",                 /* X509 default parameters */
>       0,                         /* Check time */
>       0,                         /* internal flags */
> -     0,                         /* flags */
> +     X509_V_FLAG_TRUSTED_FIRST, /* flags */
>       0,                         /* purpose */
>       0,                         /* trust */
>       100,                       /* depth */
>
>
>     ---Mike


This does seem to work.  If I patch the file then

cd /usr/src/secure

make depend
make
make install

fetch on RELENG_11 no longer complains.  Whether or not I am doing some
massive foot shooting, I am not sure. I think I will ask on freebsd-security

    ---Mike


> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>


More information about the freebsd-questions mailing list