From owner-svn-src-stable-11@freebsd.org  Sun Aug 30 18:21:55 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 178293C446C;
 Sun, 30 Aug 2020 18:21:55 +0000 (UTC)
 (envelope-from asomers@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BfhW66z7Pz4JWm;
 Sun, 30 Aug 2020 18:21:54 +0000 (UTC)
 (envelope-from asomers@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D2A9E1B00F;
 Sun, 30 Aug 2020 18:21:54 +0000 (UTC)
 (envelope-from asomers@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 07UILspX021478;
 Sun, 30 Aug 2020 18:21:54 GMT (envelope-from asomers@FreeBSD.org)
Received: (from asomers@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 07UILshB021477;
 Sun, 30 Aug 2020 18:21:54 GMT (envelope-from asomers@FreeBSD.org)
Message-Id: <202008301821.07UILshB021477@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: asomers set sender to
 asomers@FreeBSD.org using -f
From: Alan Somers <asomers@FreeBSD.org>
Date: Sun, 30 Aug 2020 18:21:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r364978 -
 stable/11/cddl/contrib/opensolaris/lib/libzfs/common
X-SVN-Group: stable-11
X-SVN-Commit-Author: asomers
X-SVN-Commit-Paths: stable/11/cddl/contrib/opensolaris/lib/libzfs/common
X-SVN-Commit-Revision: 364978
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Aug 2020 18:21:55 -0000

Author: asomers
Date: Sun Aug 30 18:21:54 2020
New Revision: 364978
URL: https://svnweb.freebsd.org/changeset/base/364978

Log:
  MFC r364412:
  
  zfs: fix EIO accessing dataset after resuming interrupted receive
  
  ZFS unmounts a dataset while receiving into it and remounts it afterwards.
  But if ZFS is resuming an incomplete receive, it screws up and ends up with
  a dataset that is mounted, but returns EIO for every access. This commit
  fixes that condition.
  
  While the vulnerable code also exists in OpenZFS, the problem is not
  reproducible there. Apparently OpenZFS doesn't unmount the destination
  dataset during receive, like FreeBSD does.
  
  PR:		248606
  Reviewed by:	mmacy
  Sponsored by:	Axcient
  Differential Revision:	https://reviews.freebsd.org/D26034

Modified:
  stable/11/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c
==============================================================================
--- stable/11/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c	Sun Aug 30 17:40:59 2020	(r364977)
+++ stable/11/cddl/contrib/opensolaris/lib/libzfs/common/libzfs_sendrecv.c	Sun Aug 30 18:21:54 2020	(r364978)
@@ -3415,7 +3415,7 @@ zfs_receive_one(libzfs_handle_t *hdl, int infd, const 
 		}
 
 		if (!flags->dryrun && zhp->zfs_type == ZFS_TYPE_FILESYSTEM &&
-		    stream_wantsnewfs) {
+		    (stream_wantsnewfs || resuming)) {
 			/* We can't do online recv in this case */
 			clp = changelist_gather(zhp, ZFS_PROP_NAME, 0, 0);
 			if (clp == NULL) {

From owner-svn-src-stable-11@freebsd.org  Mon Aug 31 21:28:58 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3AF5F3CEDA1;
 Mon, 31 Aug 2020 21:28:58 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BgNcV0qmRz47XR;
 Mon, 31 Aug 2020 21:28:58 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F3C90E35B;
 Mon, 31 Aug 2020 21:28:57 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 07VLSvVe032978;
 Mon, 31 Aug 2020 21:28:57 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 07VLSvV5032977;
 Mon, 31 Aug 2020 21:28:57 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <202008312128.07VLSvV5032977@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Mon, 31 Aug 2020 21:28:57 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365011 - stable/11/sbin/dhclient
X-SVN-Group: stable-11
X-SVN-Commit-Author: emaste
X-SVN-Commit-Paths: stable/11/sbin/dhclient
X-SVN-Commit-Revision: 365011
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2020 21:28:58 -0000

Author: emaste
Date: Mon Aug 31 21:28:57 2020
New Revision: 365011
URL: https://svnweb.freebsd.org/changeset/base/365011

Log:
  MFC r364994: dhclient: improve error handling parsing option 119
  
  Reported by:	Shlomi Oberman, JSOF
  Submitted by:	delphij
  Reviewed by:	markj
  Tested by:	markj

Modified:
  stable/11/sbin/dhclient/options.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sbin/dhclient/options.c
==============================================================================
--- stable/11/sbin/dhclient/options.c	Mon Aug 31 21:28:09 2020	(r365010)
+++ stable/11/sbin/dhclient/options.c	Mon Aug 31 21:28:57 2020	(r365011)
@@ -296,6 +296,8 @@ find_search_domain_name_len(struct option_data *option
 
 			pointed_len = find_search_domain_name_len(option,
 			    &pointer);
+			if (pointed_len < 0)
+				return (-1);
 			domain_name_len += pointed_len;
 
 			*offset = i + 2;

From owner-svn-src-stable-11@freebsd.org  Wed Sep  2 01:35:46 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A95133C526D;
 Wed,  2 Sep 2020 01:35:46 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bh62p2xCcz3yws;
 Wed,  2 Sep 2020 01:35:46 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 490DE22B3D;
 Wed,  2 Sep 2020 01:35:46 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0821ZkD2085800;
 Wed, 2 Sep 2020 01:35:46 GMT (envelope-from kevans@FreeBSD.org)
Received: (from kevans@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0821ZjT2085796;
 Wed, 2 Sep 2020 01:35:45 GMT (envelope-from kevans@FreeBSD.org)
Message-Id: <202009020135.0821ZjT2085796@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kevans set sender to
 kevans@FreeBSD.org using -f
From: Kyle Evans <kevans@FreeBSD.org>
Date: Wed, 2 Sep 2020 01:35:45 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365233 - in stable: 11/secure/caroot/trusted
 12/secure/caroot/trusted
X-SVN-Group: stable-11
X-SVN-Commit-Author: kevans
X-SVN-Commit-Paths: in stable: 11/secure/caroot/trusted
 12/secure/caroot/trusted
X-SVN-Commit-Revision: 365233
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 01:35:46 -0000

Author: kevans
Date: Wed Sep  2 01:35:45 2020
New Revision: 365233
URL: https://svnweb.freebsd.org/changeset/base/365233

Log:
  MFC r364943: carrot: update bundle
  
  Stats:
  - Seven (7) removed
  - Four (4) added

Added:
  stable/11/secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem
     - copied unchanged from r364943, head/secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem
  stable/11/secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem
     - copied unchanged from r364943, head/secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem
  stable/11/secure/caroot/trusted/certSIGN_Root_CA_G2.pem
     - copied unchanged from r364943, head/secure/caroot/trusted/certSIGN_Root_CA_G2.pem
  stable/11/secure/caroot/trusted/e-Szigno_Root_CA_2017.pem
     - copied unchanged from r364943, head/secure/caroot/trusted/e-Szigno_Root_CA_2017.pem
Deleted:
  stable/11/secure/caroot/trusted/AddTrust_External_Root.pem
  stable/11/secure/caroot/trusted/AddTrust_Low-Value_Services_Root.pem
  stable/11/secure/caroot/trusted/LuxTrust_Global_Root_2.pem
  stable/11/secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
  stable/11/secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
  stable/11/secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
  stable/11/secure/caroot/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
Modified:
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Added:
  stable/12/secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem
     - copied unchanged from r364943, head/secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem
  stable/12/secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem
     - copied unchanged from r364943, head/secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem
  stable/12/secure/caroot/trusted/certSIGN_Root_CA_G2.pem
     - copied unchanged from r364943, head/secure/caroot/trusted/certSIGN_Root_CA_G2.pem
  stable/12/secure/caroot/trusted/e-Szigno_Root_CA_2017.pem
     - copied unchanged from r364943, head/secure/caroot/trusted/e-Szigno_Root_CA_2017.pem
Deleted:
  stable/12/secure/caroot/trusted/AddTrust_External_Root.pem
  stable/12/secure/caroot/trusted/AddTrust_Low-Value_Services_Root.pem
  stable/12/secure/caroot/trusted/LuxTrust_Global_Root_2.pem
  stable/12/secure/caroot/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
  stable/12/secure/caroot/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
  stable/12/secure/caroot/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
  stable/12/secure/caroot/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
Modified:
Directory Properties:
  stable/12/   (props changed)

Copied: stable/11/secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem (from r364943, head/secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem	Wed Sep  2 01:35:45 2020	(r365233, copy of r364943, head/secure/caroot/trusted/Microsoft_ECC_Root_Certificate_Authority_2017.pem)
@@ -0,0 +1,68 @@
+##
+##  Microsoft ECC Root Certificate Authority 2017
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            66:f2:3d:af:87:de:8b:b1:4a:ea:0c:57:31:01:c2:ec
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = US, O = Microsoft Corporation, CN = Microsoft ECC Root Certificate Authority 2017
+        Validity
+            Not Before: Dec 18 23:06:45 2019 GMT
+            Not After : Jul 18 23:16:04 2042 GMT
+        Subject: C = US, O = Microsoft Corporation, CN = Microsoft ECC Root Certificate Authority 2017
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:d4:bc:3d:02:42:75:41:13:23:cd:80:04:86:02:
+                    51:2f:6a:a8:81:62:0b:65:cc:f6:ca:9d:1e:6f:4a:
+                    66:51:a2:03:d9:9d:91:fa:b6:16:b1:8c:6e:de:7c:
+                    cd:db:79:a6:2f:ce:bb:ce:71:2f:e5:a5:ab:28:ec:
+                    63:04:66:99:f8:fa:f2:93:10:05:e1:81:28:42:e3:
+                    c6:68:f4:e6:1b:84:60:4a:89:af:ed:79:0f:3b:ce:
+                    f1:f6:44:f5:01:78:c0
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                C8:CB:99:72:70:52:0C:F8:E6:BE:B2:04:57:29:2A:CF:42:10:ED:35
+            1.3.6.1.4.1.311.21.1: 
+                ...
+    Signature Algorithm: ecdsa-with-SHA384
+         30:65:02:30:58:f2:4d:ea:0c:f9:5f:5e:ee:60:29:cb:3a:f2:
+         db:d6:32:84:19:3f:7c:d5:2f:c2:b1:cc:93:ae:50:bb:09:32:
+         c6:c6:ed:7e:c9:36:94:12:e4:68:85:06:a2:1b:d0:2f:02:31:
+         00:99:e9:16:b4:0e:fa:56:48:d4:a4:30:16:91:78:db:54:8c:
+         65:01:8a:e7:50:66:c2:31:b7:39:ba:b8:1a:22:07:4e:fc:6b:
+         54:16:20:ff:2b:b5:e7:4c:0c:4d:a6:4f:73
+SHA1 Fingerprint=99:9A:64:C3:7F:F4:7D:9F:AB:95:F1:47:69:89:14:60:EE:C4:C3:C5
+-----BEGIN CERTIFICATE-----
+MIICWTCCAd+gAwIBAgIQZvI9r4fei7FK6gxXMQHC7DAKBggqhkjOPQQDAzBlMQsw
+CQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYD
+VQQDEy1NaWNyb3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
+MTcwHhcNMTkxMjE4MjMwNjQ1WhcNNDIwNzE4MjMxNjA0WjBlMQswCQYDVQQGEwJV
+UzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1NaWNy
+b3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAATUvD0CQnVBEyPNgASGAlEvaqiBYgtlzPbKnR5vSmZR
+ogPZnZH6thaxjG7efM3beaYvzrvOcS/lpaso7GMEZpn4+vKTEAXhgShC48Zo9OYb
+hGBKia/teQ87zvH2RPUBeMCjVDBSMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBTIy5lycFIM+Oa+sgRXKSrPQhDtNTAQBgkrBgEEAYI3
+FQEEAwIBADAKBggqhkjOPQQDAwNoADBlAjBY8k3qDPlfXu5gKcs68tvWMoQZP3zV
+L8KxzJOuULsJMsbG7X7JNpQS5GiFBqIb0C8CMQCZ6Ra0DvpWSNSkMBaReNtUjGUB
+iudQZsIxtzm6uBoiB078a1QWIP8rtedMDE2mT3M=
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem (from r364943, head/secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem	Wed Sep  2 01:35:45 2020	(r365233, copy of r364943, head/secure/caroot/trusted/Microsoft_RSA_Root_Certificate_Authority_2017.pem)
@@ -0,0 +1,136 @@
+##
+##  Microsoft RSA Root Certificate Authority 2017
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1e:d3:97:09:5f:d8:b4:b3:47:70:1e:aa:be:7f:45:b3
+        Signature Algorithm: sha384WithRSAEncryption
+        Issuer: C = US, O = Microsoft Corporation, CN = Microsoft RSA Root Certificate Authority 2017
+        Validity
+            Not Before: Dec 18 22:51:22 2019 GMT
+            Not After : Jul 18 23:00:23 2042 GMT
+        Subject: C = US, O = Microsoft Corporation, CN = Microsoft RSA Root Certificate Authority 2017
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:ca:5b:be:94:33:8c:29:95:91:16:0a:95:bd:47:
+                    62:c1:89:f3:99:36:df:46:90:c9:a5:ed:78:6a:6f:
+                    47:91:68:f8:27:67:50:33:1d:a1:a6:fb:e0:e5:43:
+                    a3:84:02:57:01:5d:9c:48:40:82:53:10:bc:bf:c7:
+                    3b:68:90:b6:82:2d:e5:f4:65:d0:cc:6d:19:cc:95:
+                    f9:7b:ac:4a:94:ad:0e:de:4b:43:1d:87:07:92:13:
+                    90:80:83:64:35:39:04:fc:e5:e9:6c:b3:b6:1f:50:
+                    94:38:65:50:5c:17:46:b9:b6:85:b5:1c:b5:17:e8:
+                    d6:45:9d:d8:b2:26:b0:ca:c4:70:4a:ae:60:a4:dd:
+                    b3:d9:ec:fc:3b:d5:57:72:bc:3f:c8:c9:b2:de:4b:
+                    6b:f8:23:6c:03:c0:05:bd:95:c7:cd:73:3b:66:80:
+                    64:e3:1a:ac:2e:f9:47:05:f2:06:b6:9b:73:f5:78:
+                    33:5b:c7:a1:fb:27:2a:a1:b4:9a:91:8c:91:d3:3a:
+                    82:3e:76:40:b4:cd:52:61:51:70:28:3f:c5:c5:5a:
+                    f2:c9:8c:49:bb:14:5b:4d:c8:ff:67:4d:4c:12:96:
+                    ad:f5:fe:78:a8:97:87:d7:fd:5e:20:80:dc:a1:4b:
+                    22:fb:d4:89:ad:ba:ce:47:97:47:55:7b:8f:45:c8:
+                    67:28:84:95:1c:68:30:ef:ef:49:e0:35:7b:64:e7:
+                    98:b0:94:da:4d:85:3b:3e:55:c4:28:af:57:f3:9e:
+                    13:db:46:27:9f:1e:a2:5e:44:83:a4:a5:ca:d5:13:
+                    b3:4b:3f:c4:e3:c2:e6:86:61:a4:52:30:b9:7a:20:
+                    4f:6f:0f:38:53:cb:33:0c:13:2b:8f:d6:9a:bd:2a:
+                    c8:2d:b1:1c:7d:4b:51:ca:47:d1:48:27:72:5d:87:
+                    eb:d5:45:e6:48:65:9d:af:52:90:ba:5b:a2:18:65:
+                    57:12:9f:68:b9:d4:15:6b:94:c4:69:22:98:f4:33:
+                    e0:ed:f9:51:8e:41:50:c9:34:4f:76:90:ac:fc:38:
+                    c1:d8:e1:7b:b9:e3:e3:94:e1:46:69:cb:0e:0a:50:
+                    6b:13:ba:ac:0f:37:5a:b7:12:b5:90:81:1e:56:ae:
+                    57:22:86:d9:c9:d2:d1:d7:51:e3:ab:3b:c6:55:fd:
+                    1e:0e:d3:74:0a:d1:da:aa:ea:69:b8:97:28:8f:48:
+                    c4:07:f8:52:43:3a:f4:ca:55:35:2c:b0:a6:6a:c0:
+                    9c:f9:f2:81:e1:12:6a:c0:45:d9:67:b3:ce:ff:23:
+                    a2:89:0a:54:d4:14:b9:2a:a8:d7:ec:f9:ab:cd:25:
+                    58:32:79:8f:90:5b:98:39:c4:08:06:c1:ac:7f:0e:
+                    3d:00:a5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                09:CB:59:7F:86:B2:70:8F:1A:C3:39:E3:C0:D9:E9:BF:BB:4D:B2:23
+            1.3.6.1.4.1.311.21.1: 
+                ...
+    Signature Algorithm: sha384WithRSAEncryption
+         ac:af:3e:5d:c2:11:96:89:8e:a3:e7:92:d6:97:15:b8:13:a2:
+         a6:42:2e:02:cd:16:05:59:27:ca:20:e8:ba:b8:e8:1a:ec:4d:
+         a8:97:56:ae:65:43:b1:8f:00:9b:52:cd:55:cd:53:39:6d:62:
+         4c:8b:0d:5b:7c:2e:44:bf:83:10:8f:f3:53:82:80:c3:4f:3a:
+         c7:6e:11:3f:e6:e3:16:91:84:fb:6d:84:7f:34:74:ad:89:a7:
+         ce:b9:d7:d7:9f:84:64:92:be:95:a1:ad:09:53:33:dd:ee:0a:
+         ea:4a:51:8e:6f:55:ab:ba:b5:94:46:ae:8c:7f:d8:a2:50:25:
+         65:60:80:46:db:33:04:ae:6c:b5:98:74:54:25:dc:93:e4:f8:
+         e3:55:15:3d:b8:6d:c3:0a:a4:12:c1:69:85:6e:df:64:f1:53:
+         99:e1:4a:75:20:9d:95:0f:e4:d6:dc:03:f1:59:18:e8:47:89:
+         b2:57:5a:94:b6:a9:d8:17:2b:17:49:e5:76:cb:c1:56:99:3a:
+         37:b1:ff:69:2c:91:91:93:e1:df:4c:a3:37:76:4d:a1:9f:f8:
+         6d:1e:1d:d3:fa:ec:fb:f4:45:1d:13:6d:cf:f7:59:e5:22:27:
+         72:2b:86:f3:57:bb:30:ed:24:4d:dc:7d:56:bb:a3:b3:f8:34:
+         79:89:c1:e0:f2:02:61:f7:a6:fc:0f:bb:1c:17:0b:ae:41:d9:
+         7c:bd:27:a3:fd:2e:3a:d1:93:94:b1:73:1d:24:8b:af:5b:20:
+         89:ad:b7:67:66:79:f5:3a:c6:a6:96:33:fe:53:92:c8:46:b1:
+         11:91:c6:99:7f:8f:c9:d6:66:31:20:41:10:87:2d:0c:d6:c1:
+         af:34:98:ca:64:83:fb:13:57:d1:c1:f0:3c:7a:8c:a5:c1:fd:
+         95:21:a0:71:c1:93:67:71:12:ea:8f:88:0a:69:19:64:99:23:
+         56:fb:ac:2a:2e:70:be:66:c4:0c:84:ef:e5:8b:f3:93:01:f8:
+         6a:90:93:67:4b:b2:68:a3:b5:62:8f:e9:3f:8c:7a:3b:5e:0f:
+         e7:8c:b8:c6:7c:ef:37:fd:74:e2:c8:4f:33:72:e1:94:39:6d:
+         bd:12:af:be:0c:4e:70:7c:1b:6f:8d:b3:32:93:73:44:16:6d:
+         e8:f4:f7:e0:95:80:8f:96:5d:38:a4:f4:ab:de:0a:30:87:93:
+         d8:4d:00:71:62:45:27:4b:3a:42:84:5b:7f:65:b7:67:34:52:
+         2d:9c:16:6b:aa:a8:d8:7b:a3:42:4c:71:c7:0c:ca:3e:83:e4:
+         a6:ef:b7:01:30:5e:51:a3:79:f5:70:69:a6:41:44:0f:86:b0:
+         2c:91:c6:3d:ea:ae:0f:84
+SHA1 Fingerprint=73:A5:E6:4A:3B:FF:83:16:FF:0E:DC:CC:61:8A:90:6E:4E:AE:4D:74
+-----BEGIN CERTIFICATE-----
+MIIFqDCCA5CgAwIBAgIQHtOXCV/YtLNHcB6qvn9FszANBgkqhkiG9w0BAQwFADBl
+MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYw
+NAYDVQQDEy1NaWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
+IDIwMTcwHhcNMTkxMjE4MjI1MTIyWhcNNDIwNzE4MjMwMDIzWjBlMQswCQYDVQQG
+EwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1N
+aWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKW76UM4wplZEWCpW9R2LBifOZ
+Nt9GkMml7Xhqb0eRaPgnZ1AzHaGm++DlQ6OEAlcBXZxIQIJTELy/xztokLaCLeX0
+ZdDMbRnMlfl7rEqUrQ7eS0MdhweSE5CAg2Q1OQT85elss7YfUJQ4ZVBcF0a5toW1
+HLUX6NZFndiyJrDKxHBKrmCk3bPZ7Pw71VdyvD/IybLeS2v4I2wDwAW9lcfNcztm
+gGTjGqwu+UcF8ga2m3P1eDNbx6H7JyqhtJqRjJHTOoI+dkC0zVJhUXAoP8XFWvLJ
+jEm7FFtNyP9nTUwSlq31/niol4fX/V4ggNyhSyL71Imtus5Hl0dVe49FyGcohJUc
+aDDv70ngNXtk55iwlNpNhTs+VcQor1fznhPbRiefHqJeRIOkpcrVE7NLP8TjwuaG
+YaRSMLl6IE9vDzhTyzMMEyuP1pq9KsgtsRx9S1HKR9FIJ3Jdh+vVReZIZZ2vUpC6
+W6IYZVcSn2i51BVrlMRpIpj0M+Dt+VGOQVDJNE92kKz8OMHY4Xu54+OU4UZpyw4K
+UGsTuqwPN1q3ErWQgR5WrlcihtnJ0tHXUeOrO8ZV/R4O03QK0dqq6mm4lyiPSMQH
++FJDOvTKVTUssKZqwJz58oHhEmrARdlns87/I6KJClTUFLkqqNfs+avNJVgyeY+Q
+W5g5xAgGwax/Dj0ApQIDAQABo1QwUjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUCctZf4aycI8awznjwNnpv7tNsiMwEAYJKwYBBAGC
+NxUBBAMCAQAwDQYJKoZIhvcNAQEMBQADggIBAKyvPl3CEZaJjqPnktaXFbgToqZC
+LgLNFgVZJ8og6Lq46BrsTaiXVq5lQ7GPAJtSzVXNUzltYkyLDVt8LkS/gxCP81OC
+gMNPOsduET/m4xaRhPtthH80dK2Jp86519efhGSSvpWhrQlTM93uCupKUY5vVau6
+tZRGrox/2KJQJWVggEbbMwSubLWYdFQl3JPk+ONVFT24bcMKpBLBaYVu32TxU5nh
+SnUgnZUP5NbcA/FZGOhHibJXWpS2qdgXKxdJ5XbLwVaZOjex/2kskZGT4d9Mozd2
+TaGf+G0eHdP67Pv0RR0Tbc/3WeUiJ3IrhvNXuzDtJE3cfVa7o7P4NHmJweDyAmH3
+pvwPuxwXC65B2Xy9J6P9LjrRk5Sxcx0ki69bIImtt2dmefU6xqaWM/5TkshGsRGR
+xpl/j8nWZjEgQRCHLQzWwa80mMpkg/sTV9HB8Dx6jKXB/ZUhoHHBk2dxEuqPiApp
+GWSZI1b7rCoucL5mxAyE7+WL85MB+GqQk2dLsmijtWKP6T+MejteD+eMuMZ87zf9
+dOLITzNy4ZQ5bb0Sr74MTnB8G2+NszKTc0QWbej09+CVgI+WXTik9KveCjCHk9hN
+AHFiRSdLOkKEW39lt2c0Ui2cFmuqqNh7o0JMcccMyj6D5KbvtwEwXlGjefVwaaZB
+RA+GsCyRxj3qrg+E
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/trusted/certSIGN_Root_CA_G2.pem (from r364943, head/secure/caroot/trusted/certSIGN_Root_CA_G2.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/trusted/certSIGN_Root_CA_G2.pem	Wed Sep  2 01:35:45 2020	(r365233, copy of r364943, head/secure/caroot/trusted/certSIGN_Root_CA_G2.pem)
@@ -0,0 +1,132 @@
+##
+##  certSIGN Root CA G2
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            11:00:34:b6:4e:c6:36:2d:36
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = RO, O = CERTSIGN SA, OU = certSIGN ROOT CA G2
+        Validity
+            Not Before: Feb  6 09:27:35 2017 GMT
+            Not After : Feb  6 09:27:35 2042 GMT
+        Subject: C = RO, O = CERTSIGN SA, OU = certSIGN ROOT CA G2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:c0:c5:75:19:91:7d:44:74:74:87:fe:0e:3b:96:
+                    dc:d8:01:16:cc:ee:63:91:e7:0b:6f:ce:3b:0a:69:
+                    1a:7c:c2:e3:af:82:8e:86:d7:5e:8f:57:eb:d3:21:
+                    59:fd:39:37:42:30:be:50:ea:b6:0f:a9:88:d8:2e:
+                    2d:69:21:e7:d1:37:18:4e:7d:91:d5:16:5f:6b:5b:
+                    00:c2:39:43:0d:36:85:52:b9:53:65:0f:1d:42:e5:
+                    8f:cf:05:d3:ee:dc:0c:1a:d9:b8:8b:78:22:67:e4:
+                    69:b0:68:c5:3c:e4:6c:5a:46:e7:cd:c7:fa:ef:c4:
+                    ec:4b:bd:6a:a4:ac:fd:cc:28:51:ef:92:b4:29:ab:
+                    ab:35:9a:4c:e4:c4:08:c6:26:cc:f8:69:9f:e4:9c:
+                    f0:29:d3:5c:f9:c6:16:25:9e:23:c3:20:c1:3d:0f:
+                    3f:38:40:b0:fe:82:44:38:aa:5a:1a:8a:6b:63:58:
+                    38:b4:15:d3:b6:11:69:7b:1e:54:ee:8c:1a:22:ac:
+                    72:97:3f:23:59:9b:c9:22:84:c1:07:4f:cc:7f:e2:
+                    57:ca:12:70:bb:a6:65:f3:69:75:63:bd:95:fb:1b:
+                    97:cd:e4:a8:af:f6:d1:4e:a8:d9:8a:71:24:cd:36:
+                    3d:bc:96:c4:f1:6c:a9:ae:e5:cf:0d:6e:28:0d:b0:
+                    0e:b5:ca:51:7b:78:14:c3:20:2f:7f:fb:14:55:e1:
+                    11:99:fd:d5:0a:a1:9e:02:e3:62:5f:eb:35:4b:2c:
+                    b8:72:e8:3e:3d:4f:ac:2c:bb:2e:86:e2:a3:76:8f:
+                    e5:93:2a:cf:a5:ab:c8:5c:8d:4b:06:ff:12:46:ac:
+                    78:cb:14:07:35:e0:a9:df:8b:e9:af:15:4f:16:89:
+                    5b:bd:f6:8d:c6:59:ae:88:85:0e:c1:89:eb:1f:67:
+                    c5:45:8e:ff:6d:37:36:2b:78:66:83:91:51:2b:3d:
+                    ff:51:77:76:62:a1:ec:67:3e:3e:81:83:e0:56:a9:
+                    50:1f:1f:7a:99:ab:63:bf:84:17:77:f1:0d:3b:df:
+                    f7:9c:61:b3:35:98:8a:3a:b2:ec:3c:1a:37:3f:7e:
+                    8f:92:cf:d9:12:14:64:da:10:02:15:41:ff:4f:c4:
+                    eb:1c:a3:c9:fa:99:f7:46:e9:e1:18:d9:b1:b8:32:
+                    2d:cb:14:0c:50:d8:83:65:83:ee:b9:5c:cf:cb:05:
+                    5a:4c:fa:19:97:6b:d6:5d:13:d3:c2:5c:54:bc:32:
+                    73:a0:78:f5:f1:6d:1e:cb:9f:a5:a6:9f:22:dc:d1:
+                    51:9e:82:79:64:60:29:13:3e:a3:fd:4f:72:6a:ab:
+                    e2:d4:e5:b8:24:55:2c:44:4b:8a:88:44:9c:ca:84:
+                    d3:2a:3b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                82:21:2D:66:C6:D7:A0:E0:15:EB:CE:4C:09:77:C4:60:9E:54:6E:03
+    Signature Algorithm: sha256WithRSAEncryption
+         60:de:1a:b8:e7:f2:60:82:d5:03:33:81:cb:06:8a:f1:22:49:
+         e9:e8:ea:91:7f:c6:33:5e:68:19:03:86:3b:43:01:cf:07:70:
+         e4:08:1e:65:85:91:e6:11:22:b7:f5:02:23:8e:ae:b9:1e:7d:
+         1f:7e:6c:e6:bd:25:d5:95:1a:f2:05:a6:af:85:02:6f:ae:f8:
+         d6:31:ff:25:c9:4a:c8:c7:8a:a9:d9:9f:4b:49:9b:11:57:99:
+         92:43:11:de:b6:33:a4:cc:d7:8d:64:7d:d4:cd:3c:28:2c:b4:
+         9a:96:ea:4d:f5:c4:44:c4:25:aa:20:80:d8:29:55:f7:e0:41:
+         fc:06:26:ff:b9:36:f5:43:14:03:66:78:e1:11:b1:da:20:5f:
+         46:00:78:00:21:a5:1e:00:28:61:78:6f:a8:01:01:8f:9d:34:
+         9a:ff:f4:38:90:fb:b8:d1:b3:72:06:c9:71:e6:81:c5:79:ed:
+         0b:a6:79:f2:13:0b:9c:f7:5d:0e:7b:24:93:b4:48:db:86:5f:
+         de:50:86:78:e7:40:e6:31:a8:90:76:70:61:af:9c:37:2c:11:
+         b5:82:b7:aa:ae:24:34:5b:72:0c:69:0d:cd:59:9f:f6:71:af:
+         9c:0b:d1:0a:38:f9:06:22:83:53:25:0c:fc:51:c4:e6:be:e2:
+         39:95:0b:24:ad:af:d1:95:e4:96:d7:74:64:6b:71:4e:02:3c:
+         aa:85:f3:20:a3:43:39:76:5b:6c:50:fe:9a:9c:14:1e:65:14:
+         8a:15:bd:a3:82:45:5a:49:56:6a:d2:9c:b1:63:32:e5:61:e0:
+         53:22:0e:a7:0a:49:ea:cb:7e:1f:a8:e2:62:80:f6:10:45:52:
+         98:06:18:de:a5:cd:2f:7f:aa:d4:e9:3e:08:72:ec:23:03:02:
+         3c:a6:aa:d8:bc:67:74:3d:14:17:fb:54:4b:17:e3:d3:79:3d:
+         6d:6b:49:c9:28:0e:2e:74:50:bf:0c:d9:46:3a:10:86:c9:a7:
+         3f:e9:a0:ec:7f:eb:a5:77:58:69:71:e6:83:0a:37:f2:86:49:
+         6a:be:79:08:90:f6:02:16:64:3e:e5:da:4c:7e:0c:34:c9:f9:
+         5f:b6:b3:28:51:a7:a7:2b:aa:49:fa:8d:65:29:4e:e3:6b:13:
+         a7:94:a3:2d:51:6d:78:0c:44:cb:df:de:08:6f:ce:a3:64:ab:
+         d3:95:84:d4:b9:52:54:72:7b:96:25:cc:bc:69:e3:48:6e:0d:
+         d0:c7:9d:27:9a:aa:f8:13:92:dd:1e:df:63:9f:35:a9:16:36:
+         ec:8c:b8:83:f4:3d:89:8f:cd:b4:17:5e:d7:b3:17:41:10:5d:
+         27:73:60:85:57:49:22:07
+SHA1 Fingerprint=26:F9:93:B4:ED:3D:28:27:B0:B9:4B:A7:E9:15:1D:A3:8D:92:E5:32
+-----BEGIN CERTIFICATE-----
+MIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV
+BAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g
+Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJ
+BgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJ
+R04gUk9PVCBDQSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDF
+dRmRfUR0dIf+DjuW3NgBFszuY5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0Iw
+vlDqtg+piNguLWkh59E3GE59kdUWX2tbAMI5Qw02hVK5U2UPHULlj88F0+7cDBrZ
+uIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwoUe+StCmrqzWaTOTECMYmzPhp
+n+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV07YRaXseVO6MGiKs
+cpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2YpxJM02PbyW
+xPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P
+rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiF
+DsGJ6x9nxUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fx
+DTvf95xhszWYijqy7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgy
+LcsUDFDYg2WD7rlcz8sFWkz6GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6C
+eWRgKRM+o/1Pcmqr4tTluCRVLERLiohEnMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB
+/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSCIS1mxteg4BXrzkwJ
+d8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILVAzOBywaK8SJJ6ejq
+kX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa8gWmr4UC
+b6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl
+qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0
+OJD7uNGzcgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+c
+NywRtYK3qq4kNFtyDGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXk
+ltd0ZGtxTgI8qoXzIKNDOXZbbFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIO
+pwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj
+03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdYaXHmgwo38oZJar55CJD2AhZk
+PuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxEy9/eCG/Oo2Sr05WE
+1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/NtBde17MX
+QRBdJ3NghVdJIgc=
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/trusted/e-Szigno_Root_CA_2017.pem (from r364943, head/secure/caroot/trusted/e-Szigno_Root_CA_2017.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/trusted/e-Szigno_Root_CA_2017.pem	Wed Sep  2 01:35:45 2020	(r365233, copy of r364943, head/secure/caroot/trusted/e-Szigno_Root_CA_2017.pem)
@@ -0,0 +1,65 @@
+##
+##  e-Szigno Root CA 2017
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            01:54:48:ef:21:fd:97:59:0d:f5:04:0a
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = HU, L = Budapest, O = Microsec Ltd., organizationIdentifier = VATHU-23584497, CN = e-Szigno Root CA 2017
+        Validity
+            Not Before: Aug 22 12:07:06 2017 GMT
+            Not After : Aug 22 12:07:06 2042 GMT
+        Subject: C = HU, L = Budapest, O = Microsec Ltd., organizationIdentifier = VATHU-23584497, CN = e-Szigno Root CA 2017
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:96:dc:3d:8a:d8:b0:7b:6f:c6:27:be:44:90:b1:
+                    b3:56:15:7b:8e:43:24:7d:1a:84:59:ee:63:68:b2:
+                    c6:5e:87:d0:15:48:1e:a8:90:ad:bd:53:a2:da:de:
+                    3a:90:a6:60:5f:68:32:b5:86:41:df:87:5b:2c:7b:
+                    c5:fe:7c:7a:da
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                87:11:15:08:D1:AA:C1:78:0C:B1:AF:CE:C6:C9:90:EF:BF:30:04:C0
+            X509v3 Authority Key Identifier: 
+                keyid:87:11:15:08:D1:AA:C1:78:0C:B1:AF:CE:C6:C9:90:EF:BF:30:04:C0
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:46:02:21:00:b5:57:dd:d7:8a:55:0b:36:e1:86:44:fa:d4:
+         d9:68:8d:b8:dc:23:8a:8a:0d:d4:2f:7d:ea:73:ec:bf:4d:6c:
+         a8:02:21:00:cb:a5:b4:12:fa:e7:b5:e8:cf:7e:93:fc:f3:35:
+         8f:6f:4e:5a:7c:b4:bc:4e:b2:fc:72:aa:5b:59:f9:e7:dc:31
+SHA1 Fingerprint=89:D4:83:03:4F:9E:9A:48:80:5F:72:37:D4:A9:A6:EF:CB:7C:1F:D1
+-----BEGIN CERTIFICATE-----
+MIICQDCCAeWgAwIBAgIMAVRI7yH9l1kN9QQKMAoGCCqGSM49BAMCMHExCzAJBgNV
+BAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMgTHRk
+LjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25vIFJv
+b3QgQ0EgMjAxNzAeFw0xNzA4MjIxMjA3MDZaFw00MjA4MjIxMjA3MDZaMHExCzAJ
+BgNVBAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMg
+THRkLjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25v
+IFJvb3QgQ0EgMjAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJbcPYrYsHtv
+xie+RJCxs1YVe45DJH0ahFnuY2iyxl6H0BVIHqiQrb1TotreOpCmYF9oMrWGQd+H
+Wyx7xf58etqjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
+A1UdDgQWBBSHERUI0arBeAyxr87GyZDvvzAEwDAfBgNVHSMEGDAWgBSHERUI0arB
+eAyxr87GyZDvvzAEwDAKBggqhkjOPQQDAgNJADBGAiEAtVfd14pVCzbhhkT61Nlo
+jbjcI4qKDdQvfepz7L9NbKgCIQDLpbQS+ue16M9+k/zzNY9vTlp8tLxOsvxyqltZ
++efcMQ==
+-----END CERTIFICATE-----

From owner-svn-src-stable-11@freebsd.org  Wed Sep  2 10:11:21 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id D3A203D3363;
 Wed,  2 Sep 2020 10:11:21 +0000 (UTC)
 (envelope-from hselasky@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BhKTj5DsFz4Xyd;
 Wed,  2 Sep 2020 10:11:21 +0000 (UTC)
 (envelope-from hselasky@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 984108C6A;
 Wed,  2 Sep 2020 10:11:21 +0000 (UTC)
 (envelope-from hselasky@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 082ABLd6004437;
 Wed, 2 Sep 2020 10:11:21 GMT (envelope-from hselasky@FreeBSD.org)
Received: (from hselasky@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 082ABLcE004436;
 Wed, 2 Sep 2020 10:11:21 GMT (envelope-from hselasky@FreeBSD.org)
Message-Id: <202009021011.082ABLcE004436@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: hselasky set sender to
 hselasky@FreeBSD.org using -f
From: Hans Petter Selasky <hselasky@FreeBSD.org>
Date: Wed, 2 Sep 2020 10:11:21 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365240 - stable/11/sys/dev/usb/controller
X-SVN-Group: stable-11
X-SVN-Commit-Author: hselasky
X-SVN-Commit-Paths: stable/11/sys/dev/usb/controller
X-SVN-Commit-Revision: 365240
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 10:11:21 -0000

Author: hselasky
Date: Wed Sep  2 10:11:21 2020
New Revision: 365240
URL: https://svnweb.freebsd.org/changeset/base/365240

Log:
  MFC r364347:
  Check the XHCI endpoint state before issuing XHCI endpoint commands.
  
  Differential Revision:	https://reviews.freebsd.org/D26064
  Reviewed by:	kp@ and bz@
  Sponsored by:	Mellanox Technologies

Modified:
  stable/11/sys/dev/usb/controller/xhci.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/usb/controller/xhci.c
==============================================================================
--- stable/11/sys/dev/usb/controller/xhci.c	Wed Sep  2 10:10:28 2020	(r365239)
+++ stable/11/sys/dev/usb/controller/xhci.c	Wed Sep  2 10:11:21 2020	(r365240)
@@ -3807,6 +3807,28 @@ alloc_dma_set:
 	}
 }
 
+static uint8_t
+xhci_get_endpoint_state(struct usb_device *udev, uint8_t epno)
+{
+	struct xhci_softc *sc = XHCI_BUS2SC(udev->bus);
+	struct usb_page_search buf_dev;
+	struct xhci_hw_dev *hdev;
+	struct xhci_dev_ctx *pdev;
+	uint32_t temp;
+
+	MPASS(epno != 0);
+
+	hdev =	&sc->sc_hw.devs[udev->controller_slot_id];
+
+	usbd_get_page(&hdev->device_pc, 0, &buf_dev);
+	pdev = buf_dev.buffer;
+	usb_pc_cpu_invalidate(&hdev->device_pc);
+
+	temp = xhci_ctx_get_le32(sc, &pdev->ctx_ep[epno - 1].dwEpCtx0);
+
+	return (XHCI_EPCTX_0_EPSTATE_GET(temp));
+}
+
 static usb_error_t
 xhci_configure_reset_endpoint(struct usb_xfer *xfer)
 {
@@ -3860,16 +3882,20 @@ xhci_configure_reset_endpoint(struct usb_xfer *xfer)
 	 * Get the endpoint into the stopped state according to the
 	 * endpoint context state diagram in the XHCI specification:
 	 */
-
-	err = xhci_cmd_stop_ep(sc, 0, epno, index);
-
-	if (err != 0)
-		DPRINTF("Could not stop endpoint %u\n", epno);
-
-	err = xhci_cmd_reset_ep(sc, 0, epno, index);
-
-	if (err != 0)
-		DPRINTF("Could not reset endpoint %u\n", epno);
+	switch (xhci_get_endpoint_state(udev, epno)) {
+	case XHCI_EPCTX_0_EPSTATE_STOPPED:
+		break;
+	case XHCI_EPCTX_0_EPSTATE_HALTED:
+		err = xhci_cmd_reset_ep(sc, 0, epno, index);
+		if (err != 0)
+			DPRINTF("Could not reset endpoint %u\n", epno);
+		break;
+	default:
+		err = xhci_cmd_stop_ep(sc, 0, epno, index);
+		if (err != 0)
+			DPRINTF("Could not stop endpoint %u\n", epno);
+		break;
+	}
 
 	err = xhci_cmd_set_tr_dequeue_ptr(sc,
 	    (pepext->physaddr + (stream_id * sizeof(struct xhci_trb) *

From owner-svn-src-stable-11@freebsd.org  Wed Sep  2 10:14:10 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id F3C2C3D389E;
 Wed,  2 Sep 2020 10:14:09 +0000 (UTC)
 (envelope-from hselasky@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BhKXx6B5Rz4YQ5;
 Wed,  2 Sep 2020 10:14:09 +0000 (UTC)
 (envelope-from hselasky@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B75848F52;
 Wed,  2 Sep 2020 10:14:09 +0000 (UTC)
 (envelope-from hselasky@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 082AE9vu009462;
 Wed, 2 Sep 2020 10:14:09 GMT (envelope-from hselasky@FreeBSD.org)
Received: (from hselasky@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 082AE91K009461;
 Wed, 2 Sep 2020 10:14:09 GMT (envelope-from hselasky@FreeBSD.org)
Message-Id: <202009021014.082AE91K009461@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: hselasky set sender to
 hselasky@FreeBSD.org using -f
From: Hans Petter Selasky <hselasky@FreeBSD.org>
Date: Wed, 2 Sep 2020 10:14:09 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365242 - stable/11/sys/dev/sound/usb
X-SVN-Group: stable-11
X-SVN-Commit-Author: hselasky
X-SVN-Commit-Paths: stable/11/sys/dev/sound/usb
X-SVN-Commit-Revision: 365242
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 10:14:10 -0000

Author: hselasky
Date: Wed Sep  2 10:14:09 2020
New Revision: 365242
URL: https://svnweb.freebsd.org/changeset/base/365242

Log:
  MFC r364374:
  Print current buffer latency in dmesg for the USB audio driver and not just
  the maximum.
  
  Sponsored by:	Mellanox Technologies

Modified:
  stable/11/sys/dev/sound/usb/uaudio.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/sound/usb/uaudio.c
==============================================================================
--- stable/11/sys/dev/sound/usb/uaudio.c	Wed Sep  2 10:13:15 2020	(r365241)
+++ stable/11/sys/dev/sound/usb/uaudio.c	Wed Sep  2 10:14:09 2020	(r365242)
@@ -1027,10 +1027,11 @@ uaudio_attach(device_t dev)
 		}
 		for (x = 0; x != sc->sc_play_chan[i].num_alt; x++) {
 			device_printf(dev, "Play[%u]: %d Hz, %d ch, %s format, "
-			    "2x8ms buffer.\n", i,
+			    "2x%dms buffer.\n", i,
 			    sc->sc_play_chan[i].usb_alt[x].sample_rate,
 			    sc->sc_play_chan[i].usb_alt[x].channels,
-			    sc->sc_play_chan[i].usb_alt[x].p_fmt->description);
+			    sc->sc_play_chan[i].usb_alt[x].p_fmt->description,
+			    uaudio_buffer_ms);
 		}
 	}
 	if (i == 0)
@@ -1056,10 +1057,11 @@ uaudio_attach(device_t dev)
 		}
 		for (x = 0; x != sc->sc_rec_chan[i].num_alt; x++) {
 			device_printf(dev, "Record[%u]: %d Hz, %d ch, %s format, "
-			    "2x8ms buffer.\n", i,
+			    "2x%dms buffer.\n", i,
 			    sc->sc_rec_chan[i].usb_alt[x].sample_rate,
 			    sc->sc_rec_chan[i].usb_alt[x].channels,
-			    sc->sc_rec_chan[i].usb_alt[x].p_fmt->description);
+			    sc->sc_rec_chan[i].usb_alt[x].p_fmt->description,
+			    uaudio_buffer_ms);
 		}
 	}
 	if (i == 0)

From owner-svn-src-stable-11@freebsd.org  Wed Sep  2 18:44:02 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A8A313C454E;
 Wed,  2 Sep 2020 18:44:02 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BhXsG464Jz42Rd;
 Wed,  2 Sep 2020 18:44:02 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 71060EB67;
 Wed,  2 Sep 2020 18:44:02 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 082Ii2a3023900;
 Wed, 2 Sep 2020 18:44:02 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 082Ii2I2023897;
 Wed, 2 Sep 2020 18:44:02 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <202009021844.082Ii2I2023897@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber <gjb@FreeBSD.org>
Date: Wed, 2 Sep 2020 18:44:02 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365269 - stable/11/release/doc/share/xml
X-SVN-Group: stable-11
X-SVN-Commit-Author: gjb
X-SVN-Commit-Paths: stable/11/release/doc/share/xml
X-SVN-Commit-Revision: 365269
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 18:44:02 -0000

Author: gjb
Date: Wed Sep  2 18:44:01 2020
New Revision: 365269
URL: https://svnweb.freebsd.org/changeset/base/365269

Log:
  Document EN-20:13-18, SA-20:18-26
  
  Sponsored by:	Rubicon Communications, LLC (netgate.com)

Modified:
  stable/11/release/doc/share/xml/errata.xml
  stable/11/release/doc/share/xml/security.xml

Modified: stable/11/release/doc/share/xml/errata.xml
==============================================================================
--- stable/11/release/doc/share/xml/errata.xml	Wed Sep  2 18:17:08 2020	(r365268)
+++ stable/11/release/doc/share/xml/errata.xml	Wed Sep  2 18:44:01 2020	(r365269)
@@ -19,9 +19,24 @@
 
     <tbody>
       <row>
-	<entry>No notices.</entry>
-	<entry>&nbsp;</entry>
-	<entry>&nbsp;</entry>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-EN-20:15.mps.asc">FreeBSD-EN-20:15.mps</link></entry>
+	<entry>8&nbsp;July&nbsp;2020</entry>
+	<entry><para>Kernel panic</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-EN-20:17.linuxthread.asc">FreeBSD-EN-20:17.linuxthread</link></entry>
+	<entry>2&nbsp;September&nbsp;2020</entry>
+	<entry><para>Kernel panic</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-EN-20:18.getfsstat.asc">FreeBSD-EN-20:18.getfsstat</link></entry>
+	<entry>2&nbsp;September&nbsp;2020</entry>
+	<entry><para>Kernel panic</para></entry>
       </row>
     </tbody>
   </tgroup>

Modified: stable/11/release/doc/share/xml/security.xml
==============================================================================
--- stable/11/release/doc/share/xml/security.xml	Wed Sep  2 18:17:08 2020	(r365268)
+++ stable/11/release/doc/share/xml/security.xml	Wed Sep  2 18:44:01 2020	(r365269)
@@ -19,9 +19,66 @@
 
     <tbody>
       <row>
-	<entry>No advisories.</entry>
-	<entry>&nbsp;</entry>
-	<entry>&nbsp;</entry>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:18.posix_spawnp.asc">FreeBSD-SA-20:18.posix_spawnp</link></entry>
+	<entry>8&nbsp;July&nbsp;2020</entry>
+	<entry><para>Buffer overflow</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:19.unbound.asc">FreeBSD-SA-20:19.unbound</link></entry>
+	<entry>8&nbsp;July&nbsp;2020</entry>
+	<entry><para>Multiple vulnerabilities</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:20.ipv6.asc">FreeBSD-SA-20:20.ipv6</link></entry>
+	<entry>8&nbsp;July&nbsp;2020</entry>
+	<entry><para>Race condition and use-after-free</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:21.usb_net.asc">FreeBSD-SA-20:21.usb_net</link></entry>
+	<entry>5&nbsp;August&nbsp;2020</entry>
+	<entry><para>Memory corruption</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:22.sqlite.asc">FreeBSD-SA-20:22.sqlite</link></entry>
+	<entry>5&nbsp;August&nbsp;2020</entry>
+	<entry><para>Multiple vulnerabilities</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:23.sendmsg.asc">FreeBSD-SA-20:23.sendmsg</link></entry>
+	<entry>5&nbsp;August&nbsp;2020</entry>
+	<entry><para>Privilege escalation</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:24.ipv6.asc">FreeBSD-SA-20:24.ipv6</link></entry>
+	<entry>2&nbsp;September&nbsp;2020</entry>
+	<entry><para>Use-after-free bug</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:25.sctp.asc">FreeBSD-SA-20:25.sctp</link></entry>
+	<entry>2&nbsp;September&nbsp;2020</entry>
+	<entry><para>Use-after-free bug</para></entry>
+      </row>
+
+      <row>
+	<entry><link
+	    xlink:href="&security.url;/FreeBSD-SA-20:26.dhclient.asc">FreeBSD-SA-20:26.dhclient</link></entry>
+	<entry>2&nbsp;September&nbsp;2020</entry>
+	<entry><para>Heap overflow</para></entry>
       </row>
     </tbody>
   </tgroup>

From owner-svn-src-stable-11@freebsd.org  Wed Sep  2 19:02:49 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EE2B73C6644;
 Wed,  2 Sep 2020 19:02:49 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BhYGx62Drz45Fk;
 Wed,  2 Sep 2020 19:02:49 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B25ADF410;
 Wed,  2 Sep 2020 19:02:49 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 082J2nJb036175;
 Wed, 2 Sep 2020 19:02:49 GMT (envelope-from jhb@FreeBSD.org)
Received: (from jhb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 082J2nuN036173;
 Wed, 2 Sep 2020 19:02:49 GMT (envelope-from jhb@FreeBSD.org)
Message-Id: <202009021902.082J2nuN036173@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org
 using -f
From: John Baldwin <jhb@FreeBSD.org>
Date: Wed, 2 Sep 2020 19:02:49 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365270 - in stable: 11/sys/conf 11/sys/modules/ipsec
 11/sys/modules/tcp/tcpmd5 12/sys/conf 12/sys/modules/ipsec
 12/sys/modules/tcp/tcpmd5
X-SVN-Group: stable-11
X-SVN-Commit-Author: jhb
X-SVN-Commit-Paths: in stable: 11/sys/conf 11/sys/modules/ipsec
 11/sys/modules/tcp/tcpmd5 12/sys/conf 12/sys/modules/ipsec
 12/sys/modules/tcp/tcpmd5
X-SVN-Commit-Revision: 365270
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 19:02:50 -0000

Author: jhb
Date: Wed Sep  2 19:02:48 2020
New Revision: 365270
URL: https://svnweb.freebsd.org/changeset/base/365270

Log:
  MFC 361632: Honor opt_ipsec.h from kernel builds.
  
  To make this simpler, set the default contents of opt_ipsec.h
  for standalone modules in sys/conf/config.mk.

Modified:
  stable/11/sys/conf/config.mk
  stable/11/sys/modules/ipsec/Makefile
  stable/11/sys/modules/tcp/tcpmd5/Makefile
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/sys/conf/config.mk
  stable/12/sys/modules/ipsec/Makefile
  stable/12/sys/modules/tcp/tcpmd5/Makefile
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/sys/conf/config.mk
==============================================================================
--- stable/11/sys/conf/config.mk	Wed Sep  2 18:44:01 2020	(r365269)
+++ stable/11/sys/conf/config.mk	Wed Sep  2 19:02:48 2020	(r365270)
@@ -19,6 +19,8 @@ opt_inet.h:
 opt_inet6.h:
 	@echo "#define INET6 1" > ${.TARGET}
 .endif
+opt_ipsec.h:
+	@echo "#define IPSEC_SUPPORT 1" > ${.TARGET}
 .if ${MK_EISA} != "no"
 opt_eisa.h:
 	@echo "#define DEV_EISA 1" > ${.TARGET}

Modified: stable/11/sys/modules/ipsec/Makefile
==============================================================================
--- stable/11/sys/modules/ipsec/Makefile	Wed Sep  2 18:44:01 2020	(r365269)
+++ stable/11/sys/modules/ipsec/Makefile	Wed Sep  2 19:02:48 2020	(r365270)
@@ -8,7 +8,4 @@ SRCS=	if_ipsec.c ipsec.c ipsec_input.c ipsec_mbuf.c ip
 	opt_inet.h opt_inet6.h opt_ipsec.h opt_sctp.h 
 SRCS.INET=	udpencap.c
 
-opt_ipsec.h:
-	@echo "#define IPSEC_SUPPORT 1" > ${.TARGET}
-
 .include <bsd.kmod.mk>

Modified: stable/11/sys/modules/tcp/tcpmd5/Makefile
==============================================================================
--- stable/11/sys/modules/tcp/tcpmd5/Makefile	Wed Sep  2 18:44:01 2020	(r365269)
+++ stable/11/sys/modules/tcp/tcpmd5/Makefile	Wed Sep  2 19:02:48 2020	(r365270)
@@ -5,7 +5,4 @@
 KMOD=   tcpmd5
 SRCS=   xform_tcp.c opt_inet.h opt_inet6.h opt_ipsec.h
 
-opt_ipsec.h:
-	@echo "#define IPSEC_SUPPORT 1" > ${.TARGET}
-
 .include <bsd.kmod.mk>

From owner-svn-src-stable-11@freebsd.org  Wed Sep  2 20:36:36 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8FD7E3C9294;
 Wed,  2 Sep 2020 20:36:36 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BhbM83KRFz4FT1;
 Wed,  2 Sep 2020 20:36:36 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 550EAFF76;
 Wed,  2 Sep 2020 20:36:36 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 082KaaVf092842;
 Wed, 2 Sep 2020 20:36:36 GMT (envelope-from jhb@FreeBSD.org)
Received: (from jhb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 082KaYQQ092828;
 Wed, 2 Sep 2020 20:36:34 GMT (envelope-from jhb@FreeBSD.org)
Message-Id: <202009022036.082KaYQQ092828@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org
 using -f
From: John Baldwin <jhb@FreeBSD.org>
Date: Wed, 2 Sep 2020 20:36:34 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365277 - in stable: 11/sys/net 11/sys/netipsec
 12/sys/net 12/sys/netipsec
X-SVN-Group: stable-11
X-SVN-Commit-Author: jhb
X-SVN-Commit-Paths: in stable: 11/sys/net 11/sys/netipsec 12/sys/net
 12/sys/netipsec
X-SVN-Commit-Revision: 365277
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 20:36:36 -0000

Author: jhb
Date: Wed Sep  2 20:36:33 2020
New Revision: 365277
URL: https://svnweb.freebsd.org/changeset/base/365277

Log:
  MFC 361633: Consistently include opt_ipsec.h for consumers of <netipsec/ipsec.h>.
  
  This fixes ipsec.ko to include all of IPSEC_DEBUG.

Modified:
  stable/11/sys/net/if_enc.c
  stable/11/sys/net/if_ipsec.c
  stable/11/sys/netipsec/ipsec.h
  stable/11/sys/netipsec/ipsec_mbuf.c
  stable/11/sys/netipsec/xform_ah.c
  stable/11/sys/netipsec/xform_esp.c
  stable/11/sys/netipsec/xform_ipcomp.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/sys/net/if_enc.c
  stable/12/sys/net/if_ipsec.c
  stable/12/sys/netipsec/ipsec.h
  stable/12/sys/netipsec/ipsec_mbuf.c
  stable/12/sys/netipsec/xform_ah.c
  stable/12/sys/netipsec/xform_esp.c
  stable/12/sys/netipsec/xform_ipcomp.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/sys/net/if_enc.c
==============================================================================
--- stable/11/sys/net/if_enc.c	Wed Sep  2 20:04:26 2020	(r365276)
+++ stable/11/sys/net/if_enc.c	Wed Sep  2 20:36:33 2020	(r365277)
@@ -30,6 +30,7 @@
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>

Modified: stable/11/sys/net/if_ipsec.c
==============================================================================
--- stable/11/sys/net/if_ipsec.c	Wed Sep  2 20:04:26 2020	(r365276)
+++ stable/11/sys/net/if_ipsec.c	Wed Sep  2 20:36:33 2020	(r365277)
@@ -30,6 +30,7 @@ __FBSDID("$FreeBSD$");
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>

Modified: stable/11/sys/netipsec/ipsec.h
==============================================================================
--- stable/11/sys/netipsec/ipsec.h	Wed Sep  2 20:04:26 2020	(r365276)
+++ stable/11/sys/netipsec/ipsec.h	Wed Sep  2 20:36:33 2020	(r365277)
@@ -37,11 +37,6 @@
 #ifndef _NETIPSEC_IPSEC_H_
 #define _NETIPSEC_IPSEC_H_
 
-#if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE)
-#include "opt_inet.h"
-#include "opt_ipsec.h"
-#endif
-
 #include <net/pfkeyv2.h>
 #include <netipsec/keydb.h>
 

Modified: stable/11/sys/netipsec/ipsec_mbuf.c
==============================================================================
--- stable/11/sys/netipsec/ipsec_mbuf.c	Wed Sep  2 20:04:26 2020	(r365276)
+++ stable/11/sys/netipsec/ipsec_mbuf.c	Wed Sep  2 20:36:33 2020	(r365277)
@@ -30,6 +30,8 @@
  * IPsec-specific mbuf routines.
  */
 
+#include "opt_ipsec.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>

Modified: stable/11/sys/netipsec/xform_ah.c
==============================================================================
--- stable/11/sys/netipsec/xform_ah.c	Wed Sep  2 20:04:26 2020	(r365276)
+++ stable/11/sys/netipsec/xform_ah.c	Wed Sep  2 20:36:33 2020	(r365277)
@@ -38,6 +38,7 @@
  */
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>

Modified: stable/11/sys/netipsec/xform_esp.c
==============================================================================
--- stable/11/sys/netipsec/xform_esp.c	Wed Sep  2 20:04:26 2020	(r365276)
+++ stable/11/sys/netipsec/xform_esp.c	Wed Sep  2 20:36:33 2020	(r365277)
@@ -37,6 +37,7 @@
  */
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>

Modified: stable/11/sys/netipsec/xform_ipcomp.c
==============================================================================
--- stable/11/sys/netipsec/xform_ipcomp.c	Wed Sep  2 20:04:26 2020	(r365276)
+++ stable/11/sys/netipsec/xform_ipcomp.c	Wed Sep  2 20:36:33 2020	(r365277)
@@ -31,6 +31,7 @@
 /* IP payload compression protocol (IPComp), see RFC 2393 */
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>

From owner-svn-src-stable-11@freebsd.org  Wed Sep  2 21:36:57 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4578E3CABD8;
 Wed,  2 Sep 2020 21:36:57 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bhchm6ywKz4Krj;
 Wed,  2 Sep 2020 21:36:56 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D26E210F9E;
 Wed,  2 Sep 2020 21:36:56 +0000 (UTC) (envelope-from jhb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 082LauDh029959;
 Wed, 2 Sep 2020 21:36:56 GMT (envelope-from jhb@FreeBSD.org)
Received: (from jhb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 082Lau4P029956;
 Wed, 2 Sep 2020 21:36:56 GMT (envelope-from jhb@FreeBSD.org)
Message-Id: <202009022136.082Lau4P029956@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org
 using -f
From: John Baldwin <jhb@FreeBSD.org>
Date: Wed, 2 Sep 2020 21:36:56 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365281 - in stable: 11/sys/conf 11/sys/modules
 11/sys/modules/tcp 12/sys/conf 12/sys/modules 12/sys/modules/tcp
X-SVN-Group: stable-11
X-SVN-Commit-Author: jhb
X-SVN-Commit-Paths: in stable: 11/sys/conf 11/sys/modules 11/sys/modules/tcp
 12/sys/conf 12/sys/modules 12/sys/modules/tcp
X-SVN-Commit-Revision: 365281
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2020 21:36:57 -0000

Author: jhb
Date: Wed Sep  2 21:36:55 2020
New Revision: 365281
URL: https://svnweb.freebsd.org/changeset/base/365281

Log:
  MFC 361638,361712: Only build ipsec modules for kernels with IPSEC_SUPPORT.
  
  361638:
  Only build ipsec modules if the kernel includes IPSEC_SUPPORT.
  
  Honoring the kernel-supplied opt_ipsec.h in r361632 causes builds of
  ipsec modules to fail if the kernel doesn't include IPSEC_SUPPORT.
  However, the module can never be loaded into such a kernel, so only
  build the modules if the kernel includes IPSEC_SUPPORT.
  
  361712: (kevans)
  modules: don't build ipsec/tcpmd5 if the kernel is configured for IPSEC
  
  IPSEC_SUPPORT can currently only cope with either IPSEC || IPSEC_SUPPORT,
  not both. Refrain from building if IPSEC is set, as the resulting module
  won't be able to load anyways if it's built into the kernel.
  
  KERN_OPTS is safe here; for tied modules, it will reflect the kernel
  configuration. For untied modules, it will defer to whatever is set in
  ^/sys/conf/config.mk, which doesn't set IPSEC for modules. The latter
  situation has some risk to it for uncommon scenarios, but such is the life
  of untied kernel modules.

Modified:
  stable/11/sys/conf/config.mk
  stable/11/sys/modules/Makefile
  stable/11/sys/modules/tcp/Makefile
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/sys/conf/config.mk
  stable/12/sys/modules/Makefile
  stable/12/sys/modules/tcp/Makefile
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/sys/conf/config.mk
==============================================================================
--- stable/11/sys/conf/config.mk	Wed Sep  2 21:17:54 2020	(r365280)
+++ stable/11/sys/conf/config.mk	Wed Sep  2 21:36:55 2020	(r365281)
@@ -19,8 +19,10 @@ opt_inet.h:
 opt_inet6.h:
 	@echo "#define INET6 1" > ${.TARGET}
 .endif
+.if ${MK_IPSEC_SUPPORT} != "no"
 opt_ipsec.h:
 	@echo "#define IPSEC_SUPPORT 1" > ${.TARGET}
+.endif
 .if ${MK_EISA} != "no"
 opt_eisa.h:
 	@echo "#define DEV_EISA 1" > ${.TARGET}
@@ -47,6 +49,9 @@ KERN_OPTS+= INET TCP_OFFLOAD
 .endif
 .if ${MK_INET6_SUPPORT} != "no"
 KERN_OPTS+= INET6
+.endif
+.if ${MK_IPSEC_SUPPORT} != "no"
+KERN_OPTS+= IPSEC_SUPPORT
 .endif
 .if ${MK_EISA} != "no"
 KERN_OPTS+= DEV_EISA

Modified: stable/11/sys/modules/Makefile
==============================================================================
--- stable/11/sys/modules/Makefile	Wed Sep  2 21:17:54 2020	(r365280)
+++ stable/11/sys/modules/Makefile	Wed Sep  2 21:36:55 2020	(r365281)
@@ -8,6 +8,8 @@ SUBDIR_PARALLEL=
 # Modules that include binary-only blobs of microcode should be selectable by
 # MK_SOURCELESS_UCODE option (see below).
 
+.include "${SYSDIR}/conf/config.mk"
+
 .if defined(MODULES_OVERRIDE) && !defined(ALL_MODULES)
 SUBDIR=${MODULES_OVERRIDE}
 .else
@@ -468,7 +470,7 @@ _if_enc=	if_enc
 _if_gif=	if_gif
 _if_gre=	if_gre
 _ipfw_pmod=	ipfw_pmod
-.if ${MK_IPSEC_SUPPORT} != "no"
+.if ${KERN_OPTS:MIPSEC_SUPPORT} && !${KERN_OPTS:MIPSEC}
 _ipsec=		ipsec
 .endif
 .endif
@@ -853,8 +855,6 @@ afterinstall: .PHONY
 		kldxref ${DESTDIR}${KMODDIR}; \
 	fi
 .endif
-
-.include "${SYSDIR}/conf/config.mk"
 
 SUBDIR:= ${SUBDIR:u:O}
 

Modified: stable/11/sys/modules/tcp/Makefile
==============================================================================
--- stable/11/sys/modules/tcp/Makefile	Wed Sep  2 21:17:54 2020	(r365280)
+++ stable/11/sys/modules/tcp/Makefile	Wed Sep  2 21:36:55 2020	(r365281)
@@ -15,7 +15,7 @@ _tcp_fastpath=	fastpath
 
 .if (${MK_INET_SUPPORT} != "no" || ${MK_INET6_SUPPORT} != "no") || \
 	defined(ALL_MODULES)
-.if ${MK_IPSEC_SUPPORT} != "no"
+.if ${KERN_OPTS:MIPSEC_SUPPORT} && !${KERN_OPTS:MIPSEC}
 _tcpmd5=	tcpmd5
 .endif
 .endif

From owner-svn-src-stable-11@freebsd.org  Fri Sep  4 13:19:19 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 965243C2279;
 Fri,  4 Sep 2020 13:19:19 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BjdYg3Rn7z42pC;
 Fri,  4 Sep 2020 13:19:19 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 594B4D3C6;
 Fri,  4 Sep 2020 13:19:19 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 084DJJUg010858;
 Fri, 4 Sep 2020 13:19:19 GMT (envelope-from markj@FreeBSD.org)
Received: (from markj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 084DJJtN010857;
 Fri, 4 Sep 2020 13:19:19 GMT (envelope-from markj@FreeBSD.org)
Message-Id: <202009041319.084DJJtN010857@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: markj set sender to
 markj@FreeBSD.org using -f
From: Mark Johnston <markj@FreeBSD.org>
Date: Fri, 4 Sep 2020 13:19:19 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365330 - stable/11/sys/dev/qlxgb
X-SVN-Group: stable-11
X-SVN-Commit-Author: markj
X-SVN-Commit-Paths: stable/11/sys/dev/qlxgb
X-SVN-Commit-Revision: 365330
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2020 13:19:19 -0000

Author: markj
Date: Fri Sep  4 13:19:18 2020
New Revision: 365330
URL: https://svnweb.freebsd.org/changeset/base/365330

Log:
  MFC r365060:
  qlxgb: Initialize if_mtu before setting max_frame_size.
  
  PR:	249050

Modified:
  stable/11/sys/dev/qlxgb/qla_os.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/qlxgb/qla_os.c
==============================================================================
--- stable/11/sys/dev/qlxgb/qla_os.c	Fri Sep  4 13:17:55 2020	(r365329)
+++ stable/11/sys/dev/qlxgb/qla_os.c	Fri Sep  4 13:19:18 2020	(r365330)
@@ -670,6 +670,7 @@ qla_init_ifnet(device_t dev, qla_host_t *ha)
 
 	if_initname(ifp, device_get_name(dev), device_get_unit(dev));
 
+	ifp->if_mtu = ETHERMTU;
 	ifp->if_baudrate = IF_Gbps(10);
 	ifp->if_init = qla_init;
 	ifp->if_softc = ha;

From owner-svn-src-stable-11@freebsd.org  Sat Sep  5 02:22:09 2020
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 604BC3D7111;
 Sat,  5 Sep 2020 02:22:09 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bjywx2Fvhz4vJm;
 Sat,  5 Sep 2020 02:22:09 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3141016808;
 Sat,  5 Sep 2020 02:22:09 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0852M994095189;
 Sat, 5 Sep 2020 02:22:09 GMT (envelope-from kevans@FreeBSD.org)
Received: (from kevans@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0852M7LH095182;
 Sat, 5 Sep 2020 02:22:07 GMT (envelope-from kevans@FreeBSD.org)
Message-Id: <202009050222.0852M7LH095182@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kevans set sender to
 kevans@FreeBSD.org using -f
From: Kyle Evans <kevans@FreeBSD.org>
Date: Sat, 5 Sep 2020 02:22:07 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r365357 - in stable: 11/secure/caroot/blacklisted
 12/secure/caroot/blacklisted
X-SVN-Group: stable-11
X-SVN-Commit-Author: kevans
X-SVN-Commit-Paths: in stable: 11/secure/caroot/blacklisted
 12/secure/caroot/blacklisted
X-SVN-Commit-Revision: 365357
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Sep 2020 02:22:09 -0000

Author: kevans
Date: Sat Sep  5 02:22:07 2020
New Revision: 365357
URL: https://svnweb.freebsd.org/changeset/base/365357

Log:
  MFC r365248: caroot: properly remove old distrusted roots
  
  The proper procedure was not followed in r364943; all of these that were
  deleted should have instead been moved over to the blacklist so that certctl
  can DTRT.
  
  Users must still `certctl rehash` after this, but this should generally be
  done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note
  that freebsd-update doesn't come into play for this particular update, as
  these have not yet made it into a release.
  
  Future work (after svn -> git) will likely change the script that updatecert
  invokes to facilitate the process, rather than trusting that kevans or
  whomever updates in the future will remember.

Added:
  stable/11/secure/caroot/blacklisted/AddTrust_External_Root.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/AddTrust_External_Root.pem
  stable/11/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
  stable/11/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
  stable/11/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
  stable/11/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
  stable/11/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
  stable/11/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
Modified:
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Added:
  stable/12/secure/caroot/blacklisted/AddTrust_External_Root.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/AddTrust_External_Root.pem
  stable/12/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
  stable/12/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
  stable/12/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
  stable/12/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
  stable/12/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
  stable/12/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
     - copied unchanged from r365248, head/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
Modified:
Directory Properties:
  stable/12/   (props changed)

Copied: stable/11/secure/caroot/blacklisted/AddTrust_External_Root.pem (from r365248, head/secure/caroot/blacklisted/AddTrust_External_Root.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/blacklisted/AddTrust_External_Root.pem	Sat Sep  5 02:22:07 2020	(r365357, copy of r365248, head/secure/caroot/blacklisted/AddTrust_External_Root.pem)
@@ -0,0 +1,99 @@
+##
+##  AddTrust External Root
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
+        Validity
+            Not Before: May 30 10:48:38 2000 GMT
+            Not After : May 30 10:48:38 2020 GMT
+        Subject: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:
+                    1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:
+                    a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:
+                    cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:
+                    2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:
+                    56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:
+                    5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:
+                    87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:
+                    71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:
+                    69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:
+                    ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:
+                    6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:
+                    37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:
+                    45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:
+                    c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
+                    a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:
+                    b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:
+                    5a:27
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Authority Key Identifier: 
+                keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
+                DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
+                serial:01
+
+    Signature Algorithm: sha1WithRSAEncryption
+         b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9:
+         84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41:
+         6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5:
+         bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2:
+         de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51:
+         14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:
+         93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:
+         63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:
+         a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4:
+         45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9:
+         91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e:
+         8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76:
+         60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20:
+         0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:
+         8f:4e:86:04
+SHA1 Fingerprint=02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem (from r365248, head/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem	Sat Sep  5 02:22:07 2020	(r365357, copy of r365248, head/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem)
@@ -0,0 +1,98 @@
+##
+##  AddTrust Low-Value Services Root
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root
+        Validity
+            Not Before: May 30 10:38:31 2000 GMT
+            Not After : May 30 10:38:31 2020 GMT
+        Subject: C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:96:96:d4:21:49:60:e2:6b:e8:41:07:0c:de:c4:
+                    e0:dc:13:23:cd:c1:35:c7:fb:d6:4e:11:0a:67:5e:
+                    f5:06:5b:6b:a5:08:3b:5b:29:16:3a:e7:87:b2:34:
+                    06:c5:bc:05:a5:03:7c:82:cb:29:10:ae:e1:88:81:
+                    bd:d6:9e:d3:fe:2d:56:c1:15:ce:e3:26:9d:15:2e:
+                    10:fb:06:8f:30:04:de:a7:b4:63:b4:ff:b1:9c:ae:
+                    3c:af:77:b6:56:c5:b5:ab:a2:e9:69:3a:3d:0e:33:
+                    79:32:3f:70:82:92:99:61:6d:8d:30:08:8f:71:3f:
+                    a6:48:57:19:f8:25:dc:4b:66:5c:a5:74:8f:98:ae:
+                    c8:f9:c0:06:22:e7:ac:73:df:a5:2e:fb:52:dc:b1:
+                    15:65:20:fa:35:66:69:de:df:2c:f1:6e:bc:30:db:
+                    2c:24:12:db:eb:35:35:68:90:cb:00:b0:97:21:3d:
+                    74:21:23:65:34:2b:bb:78:59:a3:d6:e1:76:39:9a:
+                    a4:49:8e:8c:74:af:6e:a4:9a:a3:d9:9b:d2:38:5c:
+                    9b:a2:18:cc:75:23:84:be:eb:e2:4d:33:71:8e:1a:
+                    f0:c2:f8:c7:1d:a2:ad:03:97:2c:f8:cf:25:c6:f6:
+                    b8:24:31:b1:63:5d:92:7f:63:f0:25:c9:53:2e:1f:
+                    bf:4d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Authority Key Identifier: 
+                keyid:95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B
+                DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
+                serial:01
+
+    Signature Algorithm: sha1WithRSAEncryption
+         2c:6d:64:1b:1f:cd:0d:dd:b9:01:fa:96:63:34:32:48:47:99:
+         ae:97:ed:fd:72:16:a6:73:47:5a:f4:eb:dd:e9:f5:d6:fb:45:
+         cc:29:89:44:5d:bf:46:39:3d:e8:ee:bc:4d:54:86:1e:1d:6c:
+         e3:17:27:43:e1:89:56:2b:a9:6f:72:4e:49:33:e3:72:7c:2a:
+         23:9a:bc:3e:ff:28:2a:ed:a3:ff:1c:23:ba:43:57:09:67:4d:
+         4b:62:06:2d:f8:ff:6c:9d:60:1e:d8:1c:4b:7d:b5:31:2f:d9:
+         d0:7c:5d:f8:de:6b:83:18:78:37:57:2f:e8:33:07:67:df:1e:
+         c7:6b:2a:95:76:ae:8f:57:a3:f0:f4:52:b4:a9:53:08:cf:e0:
+         4f:d3:7a:53:8b:fd:bb:1c:56:36:f2:fe:b2:b6:e5:76:bb:d5:
+         22:65:a7:3f:fe:d1:66:ad:0b:bc:6b:99:86:ef:3f:7d:f3:18:
+         32:ca:7b:c6:e3:ab:64:46:95:f8:26:69:d9:55:83:7b:2c:96:
+         07:ff:59:2c:44:a3:c6:e5:e9:a9:dc:a1:63:80:5a:21:5e:21:
+         cf:53:54:f0:ba:6f:89:db:a8:aa:95:cf:8b:e3:71:cc:1e:1b:
+         20:44:08:c0:7a:b6:40:fd:c4:e4:35:e1:1d:16:1c:d0:bc:2b:
+         8e:d6:71:d9
+SHA1 Fingerprint=CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D
+-----BEGIN CERTIFICATE-----
+MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3
+b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw
+MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML
+QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD
+VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul
+CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n
+tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl
+dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch
+PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC
++Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O
+BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl
+MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk
+ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB
+IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X
+7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz
+43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY
+eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl
+pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA
+WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk=
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem (from r365248, head/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem	Sat Sep  5 02:22:07 2020	(r365357, copy of r365248, head/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem)
@@ -0,0 +1,141 @@
+##
+##  LuxTrust Global Root 2
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = LU, O = LuxTrust S.A., CN = LuxTrust Global Root 2
+        Validity
+            Not Before: Mar  5 13:21:57 2015 GMT
+            Not After : Mar  5 13:21:57 2035 GMT
+        Subject: C = LU, O = LuxTrust S.A., CN = LuxTrust Global Root 2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:d7:85:97:bf:11:98:e9:f0:62:83:4c:3c:87:f9:
+                    53:6a:37:0b:f2:0f:3c:87:ce:6f:dc:26:29:bd:c5:
+                    89:ba:c9:83:3d:f7:ee:ca:5b:c6:6d:49:73:b4:c9:
+                    46:a3:1b:34:13:3f:c1:89:45:57:f4:d9:b1:fb:36:
+                    65:4b:fb:08:e2:48:71:11:c8:6e:3b:9e:9d:df:89:
+                    65:37:a6:85:f6:3b:44:18:b6:c6:37:30:62:44:92:
+                    97:69:7d:42:30:24:e4:0d:0c:89:6b:63:de:c5:e1:
+                    df:4e:a9:14:6c:53:e0:61:ce:f6:17:2f:1d:3c:bd:
+                    e6:22:4c:1d:93:f5:10:c4:a1:76:ec:6a:de:c5:6c:
+                    df:96:b4:56:40:42:c0:62:92:30:a1:2d:15:94:a0:
+                    d2:20:06:09:6e:6a:6d:e5:eb:b7:be:d4:f0:f1:15:
+                    7c:8b:e6:4e:ba:13:cc:4b:27:5e:99:3c:17:5d:8f:
+                    81:7f:33:3d:4f:d3:3f:1b:ec:5c:3f:f0:3c:4c:75:
+                    6e:f2:a6:d5:9d:da:2d:07:63:02:c6:72:e9:94:bc:
+                    4c:49:95:4f:88:52:c8:db:e8:69:82:f8:cc:34:5b:
+                    22:f0:86:a7:89:bd:48:0a:6d:66:81:6d:c8:c8:64:
+                    fb:01:e1:f4:e1:de:d9:9e:dd:db:5b:d4:2a:99:26:
+                    15:1b:1e:4c:92:29:82:9e:d5:92:81:92:41:70:19:
+                    f7:a4:e5:93:4b:bc:77:67:31:dd:1c:fd:31:70:0d:
+                    17:99:0c:f9:0c:39:19:2a:17:b5:30:71:55:d5:0f:
+                    ae:58:e1:3d:2f:34:9b:cf:9f:f6:78:85:c2:93:7a:
+                    72:3e:66:8f:9c:16:11:60:8f:9e:89:6f:67:be:e0:
+                    47:5a:3b:0c:9a:67:8b:cf:46:c6:ae:38:a3:f2:a7:
+                    bc:e6:d6:85:6b:33:24:70:22:4b:cb:08:9b:bb:c8:
+                    f8:02:29:1d:be:20:0c:46:bf:6b:87:9b:b3:2a:66:
+                    42:35:46:6c:aa:ba:ad:f9:98:7b:e9:50:55:14:31:
+                    bf:b1:da:2d:ed:80:ad:68:24:fb:69:ab:d8:71:13:
+                    30:e6:67:b3:87:40:fd:89:7e:f2:43:d1:11:df:2f:
+                    65:2f:64:ce:5f:14:b9:b1:bf:31:bd:87:78:5a:59:
+                    65:88:aa:fc:59:32:48:86:d6:4c:b9:29:4b:95:d3:
+                    76:f3:77:25:6d:42:1c:38:83:4d:fd:a3:5f:9b:7f:
+                    2d:ac:79:1b:0e:42:31:97:63:a4:fb:8a:69:d5:22:
+                    0d:34:90:30:2e:a8:b4:e0:6d:b6:94:ac:bc:8b:4e:
+                    d7:70:fc:c5:38:8e:64:25:e1:4d:39:90:ce:c9:87:
+                    84:58:71
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Certificate Policies: 
+                Policy: 1.3.171.1.1.1.10
+                  CPS: https://repository.luxtrust.lu
+
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Authority Key Identifier: 
+                keyid:FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3
+
+            X509v3 Subject Key Identifier: 
+                FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3
+    Signature Algorithm: sha256WithRSAEncryption
+         6a:19:14:ed:6e:79:c1:2c:87:d4:0d:70:7e:d7:f6:78:c9:0b:
+         04:4e:c4:b1:ce:93:70:fe:b0:54:c0:32:cd:99:30:64:17:bf:
+         0f:e5:e2:33:fd:07:36:40:72:0e:1a:b6:6a:59:d6:00:e5:68:
+         20:dd:2e:72:0d:1f:6a:64:31:20:84:7d:49:a6:5a:37:eb:45:
+         c9:85:f5:d4:c7:17:99:07:e6:9b:55:e4:0c:e8:a9:b4:ce:8c:
+         5b:b5:11:5c:cf:8a:0e:0d:d6:ac:77:81:fe:32:9c:24:9e:72:
+         ce:54:f3:d0:6f:a2:56:d6:ec:c3:37:2c:65:58:be:57:00:1a:
+         f2:35:fa:eb:7b:31:5d:c2:c1:12:3d:96:81:88:96:89:c1:59:
+         5c:7a:e6:7f:70:34:e7:83:e2:b1:e1:e1:b8:58:ef:d4:95:e4:
+         60:9c:f0:96:97:72:8c:eb:84:02:2e:65:8f:a4:b7:d2:7f:67:
+         dd:c8:d3:9e:5c:aa:a9:a4:a0:25:14:06:9b:ec:4f:7e:2d:0b:
+         7f:1d:75:f1:33:d8:ed:ce:b8:75:6d:3e:5b:b9:98:1d:31:0d:
+         56:d8:43:0f:30:91:b2:04:6b:dd:56:be:95:80:55:67:be:d8:
+         cd:83:d9:18:ee:2e:0f:86:2d:92:9e:70:13:ec:de:51:c9:43:
+         78:02:a5:4d:c8:f9:5f:c4:91:58:46:16:77:5a:74:aa:40:bc:
+         07:9f:30:b9:b1:f7:12:17:dd:e3:ff:24:40:1d:7a:6a:d1:4f:
+         18:0a:aa:90:1d:eb:40:1e:df:a1:1e:44:92:10:9a:f2:8d:e1:
+         d1:4b:46:9e:e8:45:42:97:ea:45:99:f3:ec:66:d5:02:fa:f2:
+         a6:4a:24:aa:de:ce:b9:ca:f9:3f:93:6f:f9:a3:ba:ea:a5:3e:
+         99:ad:fd:ff:7b:99:f5:65:ee:f0:59:28:67:d7:90:95:a4:13:
+         84:a9:84:c1:e8:ce:ce:75:93:63:1a:bc:3c:ea:d5:64:1f:2d:
+         2a:12:39:c6:c3:5a:32:ed:47:91:16:0e:bc:38:c1:50:de:8f:
+         ca:2a:90:34:1c:ee:41:94:9c:5e:19:2e:f8:45:49:99:74:91:
+         b0:04:6f:e3:04:5a:b1:ab:2a:ab:fe:c7:d0:96:b6:da:e1:4a:
+         64:06:6e:60:4d:bd:42:4e:ff:78:da:24:ca:1b:b4:d7:96:39:
+         6c:ae:f1:0e:aa:a7:7d:48:8b:20:4c:cf:64:d6:b8:97:46:b0:
+         4e:d1:2a:56:3a:a0:93:bd:af:80:24:e0:0a:7e:e7:ca:d5:ca:
+         e8:85:55:dc:36:2a:e1:94:68:93:c7:66:72:44:0f:80:21:32:
+         6c:25:c7:23:80:83:0a:eb
+SHA1 Fingerprint=1E:0E:56:19:0A:D1:8B:25:98:B2:04:44:FF:66:8A:04:17:99:5F:3F
+-----BEGIN CERTIFICATE-----
+MIIFwzCCA6ugAwIBAgIUCn6m30tEntpqJIWe5rgV0xZ/u7EwDQYJKoZIhvcNAQEL
+BQAwRjELMAkGA1UEBhMCTFUxFjAUBgNVBAoMDUx1eFRydXN0IFMuQS4xHzAdBgNV
+BAMMFkx1eFRydXN0IEdsb2JhbCBSb290IDIwHhcNMTUwMzA1MTMyMTU3WhcNMzUw
+MzA1MTMyMTU3WjBGMQswCQYDVQQGEwJMVTEWMBQGA1UECgwNTHV4VHJ1c3QgUy5B
+LjEfMB0GA1UEAwwWTHV4VHJ1c3QgR2xvYmFsIFJvb3QgMjCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBANeFl78RmOnwYoNMPIf5U2o3C/IPPIfOb9wmKb3F
+ibrJgz337spbxm1Jc7TJRqMbNBM/wYlFV/TZsfs2ZUv7COJIcRHIbjuend+JZTem
+hfY7RBi2xjcwYkSSl2l9QjAk5A0MiWtj3sXh306pFGxT4GHO9hcvHTy95iJMHZP1
+EMShduxq3sVs35a0VkBCwGKSMKEtFZSg0iAGCW5qbeXrt77U8PEVfIvmTroTzEsn
+Xpk8F12PgX8zPU/TPxvsXD/wPEx1bvKm1Z3aLQdjAsZy6ZS8TEmVT4hSyNvoaYL4
+zDRbIvCGp4m9SAptZoFtyMhk+wHh9OHe2Z7d21vUKpkmFRseTJIpgp7VkoGSQXAZ
+96Tlk0u8d2cx3Rz9MXANF5kM+Qw5GSoXtTBxVdUPrljhPS80m8+f9niFwpN6cj5m
+j5wWEWCPnolvZ77gR1o7DJpni89Gxq44o/KnvObWhWszJHAiS8sIm7vI+AIpHb4g
+DEa/a4ebsypmQjVGbKq6rfmYe+lQVRQxv7HaLe2ArWgk+2mr2HETMOZns4dA/Yl+
+8kPREd8vZS9kzl8UubG/Mb2HeFpZZYiq/FkySIbWTLkpS5XTdvN3JW1CHDiDTf2j
+X5t/Lax5Gw5CMZdjpPuKadUiDTSQMC6otOBttpSsvItO13D8xTiOZCXhTTmQzsmH
+hFhxAgMBAAGjgagwgaUwDwYDVR0TAQH/BAUwAwEB/zBCBgNVHSAEOzA5MDcGByuB
+KwEBAQowLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9yZXBvc2l0b3J5Lmx1eHRydXN0
+Lmx1MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBT/GCh2+UgFLKGu8SsbK7JT
++Et8szAdBgNVHQ4EFgQU/xgodvlIBSyhrvErGyuyU/hLfLMwDQYJKoZIhvcNAQEL
+BQADggIBAGoZFO1uecEsh9QNcH7X9njJCwROxLHOk3D+sFTAMs2ZMGQXvw/l4jP9
+BzZAcg4atmpZ1gDlaCDdLnINH2pkMSCEfUmmWjfrRcmF9dTHF5kH5ptV5AzoqbTO
+jFu1EVzPig4N1qx3gf4ynCSecs5U89BvolbW7MM3LGVYvlcAGvI1+ut7MV3CwRI9
+loGIlonBWVx65n9wNOeD4rHh4bhY79SV5GCc8JaXcozrhAIuZY+kt9J/Z93I055c
+qqmkoCUUBpvsT34tC38ddfEz2O3OuHVtPlu5mB0xDVbYQw8wkbIEa91WvpWAVWe+
+2M2D2RjuLg+GLZKecBPs3lHJQ3gCpU3I+V/EkVhGFndadKpAvAefMLmx9xIX3eP/
+JEAdemrRTxgKqpAd60Ae36EeRJIQmvKN4dFLRp7oRUKX6kWZ8+xm1QL68qZKJKre
+zrnK+T+Tb/mjuuqlPpmt/f97mfVl7vBZKGfXkJWkE4SphMHozs51k2MavDzq1WQf
+LSoSOcbDWjLtR5EWDrw4wVDej8oqkDQc7kGUnF4ZLvhFSZl0kbAEb+MEWrGrKqv+
+x9CWttrhSmQGbmBNvUJO/3jaJMobtNeWOWyu8Q6qp31IiyBMz2TWuJdGsE7RKlY6
+oJO9r4Ak4Ap+58rVyuiFVdw2KuGUaJPHZnJED4AhMmwlxyOAgwrr
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem (from r365248, head/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem	Sat Sep  5 02:22:07 2020	(r365357, copy of r365248, head/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem)
@@ -0,0 +1,137 @@
+##
+##  Staat der Nederlanden Root CA - G2
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 10000012 (0x98968c)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2
+        Validity
+            Not Before: Mar 26 11:18:17 2008 GMT
+            Not After : Mar 25 11:03:10 2020 GMT
+        Subject: C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:c5:59:e7:6f:75:aa:3e:4b:9c:b5:b8:ac:9e:0b:
+                    e4:f9:d9:ca:ab:5d:8f:b5:39:10:82:d7:af:51:e0:
+                    3b:e1:00:48:6a:cf:da:e1:06:43:11:99:aa:14:25:
+                    12:ad:22:e8:00:6d:43:c4:a9:b8:e5:1f:89:4b:67:
+                    bd:61:48:ef:fd:d2:e0:60:88:e5:b9:18:60:28:c3:
+                    77:2b:ad:b0:37:aa:37:de:64:59:2a:46:57:e4:4b:
+                    b9:f8:37:7c:d5:36:e7:80:c1:b6:f3:d4:67:9b:96:
+                    e8:ce:d7:c6:0a:53:d0:6b:49:96:f3:a3:0b:05:77:
+                    48:f7:25:e5:70:ac:30:14:20:25:e3:7f:75:5a:e5:
+                    48:f8:4e:7b:03:07:04:fa:82:61:87:6e:f0:3b:c4:
+                    a4:c7:d0:f5:74:3e:a5:5d:1a:08:f2:9b:25:d2:f6:
+                    ac:04:26:3e:55:3a:62:28:a5:7b:b2:30:af:f8:37:
+                    c2:d1:ba:d6:38:fd:f4:ef:49:30:37:99:26:21:48:
+                    85:01:a9:e5:16:e7:dc:90:55:df:0f:e8:38:cd:99:
+                    37:21:4f:5d:f5:22:6f:6a:c5:12:16:60:17:55:f2:
+                    65:66:a6:a7:30:91:38:c1:38:1d:86:04:84:ba:1a:
+                    25:78:5e:9d:af:cc:50:60:d6:13:87:52:ed:63:1f:
+                    6d:65:7d:c2:15:18:74:ca:e1:7e:64:29:8c:72:d8:
+                    16:13:7d:0b:49:4a:f1:28:1b:20:74:6b:c5:3d:dd:
+                    b0:aa:48:09:3d:2e:82:94:cd:1a:65:d9:2b:88:9a:
+                    99:bc:18:7e:9f:ee:7d:66:7c:3e:bd:94:b8:81:ce:
+                    cd:98:30:78:c1:6f:67:d0:be:5f:e0:68:ed:de:e2:
+                    b1:c9:2c:59:78:92:aa:df:2b:60:63:f2:e5:5e:b9:
+                    e3:ca:fa:7f:50:86:3e:a2:34:18:0c:09:68:28:11:
+                    1c:e4:e1:b9:5c:3e:47:ba:32:3f:18:cc:5b:84:f5:
+                    f3:6b:74:c4:72:74:e1:e3:8b:a0:4a:bd:8d:66:2f:
+                    ea:ad:35:da:20:d3:88:82:61:f0:12:22:b6:bc:d0:
+                    d5:a4:ec:af:54:88:25:24:3c:a7:6d:b1:72:29:3f:
+                    3e:57:a6:7f:55:af:6e:26:c6:fe:e7:cc:40:5c:51:
+                    44:81:0a:78:de:4a:ce:55:bf:1d:d5:d9:b7:56:ef:
+                    f0:76:ff:0b:79:b5:af:bd:fb:a9:69:91:46:97:68:
+                    80:14:36:1d:b3:7f:bb:29:98:36:a5:20:fa:82:60:
+                    62:33:a4:ec:d6:ba:07:a7:6e:c5:cf:14:a6:e7:d6:
+                    92:34:d8:81:f5:fc:1d:5d:aa:5c:1e:f6:a3:4d:3b:
+                    b8:f7:39
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Certificate Policies: 
+                Policy: X509v3 Any Policy
+                  CPS: http://www.pkioverheid.nl/policies/root-policy-G2
+
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                91:68:32:87:15:1D:89:E2:B5:F1:AC:36:28:34:8D:0B:7C:62:88:EB
+    Signature Algorithm: sha256WithRSAEncryption
+         a8:41:4a:67:2a:92:81:82:50:6e:e1:d7:d8:b3:39:3b:f3:02:
+         15:09:50:51:ef:2d:bd:24:7b:88:86:3b:f9:b4:bc:92:09:96:
+         b9:f6:c0:ab:23:60:06:79:8c:11:4e:51:d2:79:80:33:fb:9d:
+         48:be:ec:41:43:81:1f:7e:47:40:1c:e5:7a:08:ca:aa:8b:75:
+         ad:14:c4:c2:e8:66:3c:82:07:a7:e6:27:82:5b:18:e6:0f:6e:
+         d9:50:3e:8a:42:18:29:c6:b4:56:fc:56:10:a0:05:17:bd:0c:
+         23:7f:f4:93:ed:9c:1a:51:be:dd:45:41:bf:91:24:b4:1f:8c:
+         e9:5f:cf:7b:21:99:9f:95:9f:39:3a:46:1c:6c:f9:cd:7b:9c:
+         90:cd:28:a9:c7:a9:55:bb:ac:62:34:62:35:13:4b:14:3a:55:
+         83:b9:86:8d:92:a6:c6:f4:07:25:54:cc:16:57:12:4a:82:78:
+         c8:14:d9:17:82:26:2d:5d:20:1f:79:ae:fe:d4:70:16:16:95:
+         83:d8:35:39:ff:52:5d:75:1c:16:c5:13:55:cf:47:cc:75:65:
+         52:4a:de:f0:b0:a7:e4:0a:96:0b:fb:ad:c2:e2:25:84:b2:dd:
+         e4:bd:7e:59:6c:9b:f0:f0:d8:e7:ca:f2:e9:97:38:7e:89:be:
+         cc:fb:39:17:61:3f:72:db:3a:91:d8:65:01:19:1d:ad:50:a4:
+         57:0a:7c:4b:bc:9c:71:73:2a:45:51:19:85:cc:8e:fd:47:a7:
+         74:95:1d:a8:d1:af:4e:17:b1:69:26:c2:aa:78:57:5b:c5:4d:
+         a7:e5:9e:05:17:94:ca:b2:5f:a0:49:18:8d:34:e9:26:6c:48:
+         1e:aa:68:92:05:e1:82:73:5a:9b:dc:07:5b:08:6d:7d:9d:d7:
+         8d:21:d9:fc:14:20:aa:c2:45:df:3f:e7:00:b2:51:e4:c2:f8:
+         05:b9:79:1a:8c:34:f3:9e:5b:e4:37:5b:6b:4a:df:2c:57:8a:
+         40:5a:36:ba:dd:75:44:08:37:42:70:0c:fe:dc:5e:21:a0:a3:
+         8a:c0:90:9c:68:da:50:e6:45:10:47:78:b6:4e:d2:65:c9:c3:
+         37:df:e1:42:63:b0:57:37:45:2d:7b:8a:9c:bf:05:ea:65:55:
+         33:f7:39:10:c5:28:2a:21:7a:1b:8a:c4:24:f9:3f:15:c8:9a:
+         15:20:f5:55:62:96:ed:6d:93:50:bc:e4:aa:78:ad:d9:cb:0a:
+         65:87:a6:66:c1:c4:81:a3:77:3a:58:1e:0b:ee:83:8b:9d:1e:
+         d2:52:a4:cc:1d:6f:b0:98:6d:94:31:b5:f8:71:0a:dc:b9:fc:
+         7d:32:60:e6:eb:af:8a:01
+SHA1 Fingerprint=59:AF:82:79:91:86:C7:B4:75:07:CB:CF:03:57:46:EB:04:DD:B7:16
+-----BEGIN CERTIFICATE-----
+MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO
+TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh
+dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX
+DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl
+ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv
+b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291
+qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp
+uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU
+Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE
+pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp
+5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M
+UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN
+GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy
+5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv
+6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK
+eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6
+B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/
+BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov
+L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG
+SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS
+CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen
+5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897
+IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK
+gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL
++63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL
+vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm
+bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk
+N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC
+Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z
+ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ==
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem (from r365248, head/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem	Sat Sep  5 02:22:07 2020	(r365357, copy of r365248, head/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem)
@@ -0,0 +1,68 @@
+##
+##  Symantec Class 1 Public Primary Certification Authority - G4
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 1 Public Primary Certification Authority - G4
+        Validity
+            Not Before: Oct  5 00:00:00 2011 GMT
+            Not After : Jan 18 23:59:59 2038 GMT
+        Subject: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 1 Public Primary Certification Authority - G4
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:d7:66:b5:1b:db:ae:b3:60:ee:46:ea:88:63:75:
+                    3b:2a:94:6d:f3:5f:12:f6:e3:0f:9e:b6:0a:14:53:
+                    48:52:c8:dc:3a:b3:cb:48:20:26:12:4e:fa:89:84:
+                    d4:df:91:e4:29:7d:28:01:d9:db:18:43:69:a1:1f:
+                    b5:d3:86:16:dc:c7:7f:67:23:df:df:31:31:83:03:
+                    35:70:b1:4b:b7:c8:17:bb:51:cb:dc:94:17:db:ea:
+                    09:3b:76:12:de:aa:b5
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                65:C0:8D:25:F5:0C:BA:97:77:90:3F:9E:2E:E0:5A:F5:CE:D5:E1:E4
+    Signature Algorithm: ecdsa-with-SHA384
+         30:66:02:31:00:a5:ae:e3:46:53:f8:98:36:e3:22:fa:2e:28:
+         49:0d:ee:30:7e:33:f3:ec:3f:71:5e:cc:55:89:78:99:ac:b2:
+         fd:dc:1c:5c:33:8e:29:b9:6b:17:c8:11:68:b5:dc:83:07:02:
+         31:00:9c:c8:44:da:69:c2:36:c3:54:19:10:85:02:da:9d:47:
+         ef:41:e7:6c:26:9d:09:3d:f7:6d:90:d1:05:44:2f:b0:bc:83:
+         93:68:f2:0c:45:49:39:bf:99:04:1c:d3:10:a0
+SHA1 Fingerprint=84:F2:E3:DD:83:13:3E:A9:1D:19:52:7F:02:D7:29:BF:C1:5F:E6:67
+-----BEGIN CERTIFICATE-----
+MIICqDCCAi2gAwIBAgIQIW4zpcvTiKRvKQe0JzzE2DAKBggqhkjOPQQDAzCBlDEL
+MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD
+VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBD
+bGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g
+RzQwHhcNMTExMDA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBlDELMAkGA1UEBhMC
+VVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1h
+bnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBDbGFzcyAxIFB1
+YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzQwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAATXZrUb266zYO5G6ohjdTsqlG3zXxL24w+etgoUU0hS
+yNw6s8tIICYSTvqJhNTfkeQpfSgB2dsYQ2mhH7XThhbcx39nI9/fMTGDAzVwsUu3
+yBe7UcvclBfb6gk7dhLeqrWjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRlwI0l9Qy6l3eQP54u4Fr1ztXh5DAKBggqhkjOPQQD
+AwNpADBmAjEApa7jRlP4mDbjIvouKEkN7jB+M/PsP3FezFWJeJmssv3cHFwzjim5
+axfIEWi13IMHAjEAnMhE2mnCNsNUGRCFAtqdR+9B52wmnQk9922Q0QVEL7C8g5No
+8gxFSTm/mQQc0xCg
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem (from r365248, head/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem	Sat Sep  5 02:22:07 2020	(r365357, copy of r365248, head/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem)
@@ -0,0 +1,68 @@
+##
+##  Symantec Class 2 Public Primary Certification Authority - G4
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 2 Public Primary Certification Authority - G4
+        Validity
+            Not Before: Oct  5 00:00:00 2011 GMT
+            Not After : Jan 18 23:59:59 2038 GMT
+        Subject: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 2 Public Primary Certification Authority - G4
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:d1:d9:4a:8e:4c:0d:84:4a:51:ba:7c:ef:d3:cc:
+                    fa:3a:9a:b5:a7:63:13:3d:01:e0:49:3e:fa:c1:47:
+                    c9:92:b3:3a:d7:fe:6f:9c:f7:9a:3a:0f:f5:0e:0a:
+                    0a:c3:3f:c8:e7:12:14:8e:d5:d5:6d:98:2c:b3:71:
+                    32:0a:eb:2a:bd:f6:d7:6a:20:0b:67:45:9c:d2:b2:
+                    bf:53:22:66:09:5d:db:11:f3:f1:05:33:58:a3:e2:
+                    b8:cf:7c:cd:82:9b:bd
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                3D:32:F3:3A:A9:0C:90:84:F9:A2:8C:69:06:61:54:2F:87:72:FE:05
+    Signature Algorithm: ecdsa-with-SHA384
+         30:66:02:31:00:c8:a6:a9:af:41:7f:b5:c9:11:42:16:68:69:
+         4c:5c:b8:27:18:b6:98:f1:c0:7f:90:6d:87:d3:8c:46:17:f0:
+         3e:4f:fc:ea:b0:08:c4:7a:4b:bc:08:2f:c7:e2:a7:6f:65:02:
+         31:00:d6:59:de:86:ce:5f:0e:ca:54:d5:c6:d0:15:0e:fc:8b:
+         94:72:d4:8e:00:58:53:cf:7e:b1:4b:0d:e5:50:86:eb:9e:6b:
+         df:ff:29:a6:d8:47:d9:a0:96:18:db:f2:45:b3
+SHA1 Fingerprint=67:24:90:2E:48:01:B0:22:96:40:10:46:B4:B1:67:2C:A9:75:FD:2B
+-----BEGIN CERTIFICATE-----
+MIICqDCCAi2gAwIBAgIQNBdlEkA7t1aALYDLeVWmHjAKBggqhkjOPQQDAzCBlDEL
+MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD
+VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBD
+bGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0g
+RzQwHhcNMTExMDA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBlDELMAkGA1UEBhMC
+VVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1h
+bnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBDbGFzcyAyIFB1
+YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzQwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAATR2UqOTA2ESlG6fO/TzPo6mrWnYxM9AeBJPvrBR8mS
+szrX/m+c95o6D/UOCgrDP8jnEhSO1dVtmCyzcTIK6yq99tdqIAtnRZzSsr9TImYJ
+XdsR8/EFM1ij4rjPfM2Cm72jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBQ9MvM6qQyQhPmijGkGYVQvh3L+BTAKBggqhkjOPQQD
+AwNpADBmAjEAyKapr0F/tckRQhZoaUxcuCcYtpjxwH+QbYfTjEYX8D5P/OqwCMR6
+S7wIL8fip29lAjEA1lnehs5fDspU1cbQFQ78i5Ry1I4AWFPPfrFLDeVQhuuea9//
+KabYR9mglhjb8kWz
+-----END CERTIFICATE-----

Copied: stable/11/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem (from r365248, head/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ stable/11/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem	Sat Sep  5 02:22:07 2020	(r365357, copy of r365248, head/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem)
@@ -0,0 +1,87 @@
+##
+##  Verisign Class 3 Public Primary Certification Authority - G3
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number:
+            9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
+        Validity
+            Not Before: Oct  1 00:00:00 1999 GMT
+            Not After : Jul 16 23:59:59 2036 GMT
+        Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:cb:ba:9c:52:fc:78:1f:1a:1e:6f:1b:37:73:bd:
+                    f8:c9:6b:94:12:30:4f:f0:36:47:f5:d0:91:0a:f5:
+                    17:c8:a5:61:c1:16:40:4d:fb:8a:61:90:e5:76:20:
+                    c1:11:06:7d:ab:2c:6e:a6:f5:11:41:8e:fa:2d:ad:
+                    2a:61:59:a4:67:26:4c:d0:e8:bc:52:5b:70:20:04:
+                    58:d1:7a:c9:a4:69:bc:83:17:64:ad:05:8b:bc:d0:
+                    58:ce:8d:8c:f5:eb:f0:42:49:0b:9d:97:27:67:32:
+                    6e:e1:ae:93:15:1c:70:bc:20:4d:2f:18:de:92:88:
+                    e8:6c:85:57:11:1a:e9:7e:e3:26:11:54:a2:45:96:
+                    55:83:ca:30:89:e8:dc:d8:a3:ed:2a:80:3f:7f:79:
+                    65:57:3e:15:20:66:08:2f:95:93:bf:aa:47:2f:a8:
+                    46:97:f0:12:e2:fe:c2:0a:2b:51:e6:76:e6:b7:46:
+                    b7:e2:0d:a6:cc:a8:c3:4c:59:55:89:e6:e8:53:5c:
+                    1c:ea:9d:f0:62:16:0b:a7:c9:5f:0c:f0:de:c2:76:
+                    ce:af:f7:6a:f2:fa:41:a6:a2:33:14:c9:e5:7a:63:
+                    d3:9e:62:37:d5:85:65:9e:0e:e6:53:24:74:1b:5e:
+                    1d:12:53:5b:c7:2c:e7:83:49:3b:15:ae:8a:68:b9:
+                    57:97
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         11:14:96:c1:ab:92:08:f7:3f:2f:c9:b2:fe:e4:5a:9f:64:de:
+         db:21:4f:86:99:34:76:36:57:dd:d0:15:2f:c5:ad:7f:15:1f:
+         37:62:73:3e:d4:e7:5f:ce:17:03:db:35:fa:2b:db:ae:60:09:
+         5f:1e:5f:8f:6e:bb:0b:3d:ea:5a:13:1e:0c:60:6f:b5:c0:b5:
+         23:22:2e:07:0b:cb:a9:74:cb:47:bb:1d:c1:d7:a5:6b:cc:2f:
+         d2:42:fd:49:dd:a7:89:cf:53:ba:da:00:5a:28:bf:82:df:f8:
+         ba:13:1d:50:86:82:fd:8e:30:8f:29:46:b0:1e:3d:35:da:38:
+         62:16:18:4a:ad:e6:b6:51:6c:de:af:62:eb:01:d0:1e:24:fe:
+         7a:8f:12:1a:12:68:b8:fb:66:99:14:14:45:5c:ae:e7:ae:69:
+         17:81:2b:5a:37:c9:5e:2a:f4:c6:e2:a1:5c:54:9b:a6:54:00:
+         cf:f0:f1:c1:c7:98:30:1a:3b:36:16:db:a3:6e:ea:fd:ad:b2:
+         c2:da:ef:02:47:13:8a:c0:f1:b3:31:ad:4f:1c:e1:4f:9c:af:
+         0f:0c:9d:f7:78:0d:d8:f4:35:56:80:da:b7:6d:17:8f:9d:1e:
+         81:64:e1:fe:c5:45:ba:ad:6b:b9:0a:7a:4e:4f:4b:84:ee:4b:
+         f1:7d:dd:11
+SHA1 Fingerprint=13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
+cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
+LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
+aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
+VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
+aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
+bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
+IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b
+N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t
+KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu
+kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm
+CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ
+Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu
+imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te
+2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe
+DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC
+/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p
+F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt
+TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ==
+-----END CERTIFICATE-----