From eugen@grosbein.net Tue Oct  5 06:40:05 2021
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3AD9417CAD09
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue,  5 Oct 2021 06:40:23 +0000 (UTC)
	(envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HNnyZ0CkHz3q8W
	for <freebsd-security@freebsd.org>; Tue,  5 Oct 2021 06:40:21 +0000 (UTC)
	(envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged))
	by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 1956eCsQ043443
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 5 Oct 2021 06:40:13 GMT
	(envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: mike@sentex.net
Received: from [10.58.0.10] (dadvw [10.58.0.10])
	by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 1956eBgh093173
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
	Tue, 5 Oct 2021 13:40:11 +0700 (+07)
	(envelope-from eugen@grosbein.net)
Subject: Re: openssl patch for RELENG_11 to work around Lets Encrypt work
 around
To: mike tancsa <mike@sentex.net>,
        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
References: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net>
 <20211001225104.GA74427@funkthat.com>
 <4d54f1ae-3989-b07e-c75a-c30755cd8bb3@sentex.net>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <33721447-02f8-c63e-bc99-f6bdda6d3cf1@grosbein.net>
Date: Tue, 5 Oct 2021 13:40:05 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:security+help@freebsd.org>
List-Post: <mailto:security@freebsd.org>
List-Subscribe: <mailto:security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
In-Reply-To: <4d54f1ae-3989-b07e-c75a-c30755cd8bb3@sentex.net>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT
	autolearn=disabled version=3.4.2
X-Spam-Report: 
	* -0.0 SHORTCIRCUIT No description available.
	* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 4HNnyZ0CkHz3q8W
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=fail (mx1.freebsd.org: domain of eugen@grosbein.net does not designate 2a01:4f8:c2c:26d8::2 as permitted sender) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-0.84 / 15.00];
	 TO_DN_EQ_ADDR_SOME(0.00)[];
	 R_SPF_FAIL(1.00)[-all];
	 FREEFALL_USER(0.00)[eugen];
	 FROM_HAS_DN(0.00)[];
	 TO_DN_SOME(0.00)[];
	 ARC_NA(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 DMARC_NA(0.00)[grosbein.net];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 NEURAL_SPAM_MEDIUM(0.07)[0.072];
	 RCVD_COUNT_THREE(0.00)[3];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 NEURAL_HAM_SHORT(-0.81)[-0.809];
	 RCPT_COUNT_TWO(0.00)[2];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE];
	 RCVD_TLS_ALL(0.00)[];
	 MAILMAN_DEST(0.00)[freebsd-security]
X-ThisMailContainsUnwantedMimeParts: N

04.10.2021 20:44, mike tancsa wrote:

> I guess the one challenge is that I need to update the future updates. 
> pkg upgrade will fetch the latest ca_root_nss: 3.69 -> 3.69_1 again,
> which has the problematic cert. I then need to patch again. I wonder if
> this is why OpenBSD just went the flags way ?  Granted, this is
> RELENG_11 which is out of support now anyways.  But for the archives,
> removing the cert via the attached patch and making sure
> /usr/local/etc/ssl/cert.pem points to
> /usr/local/share/certs/ca-root-nss.crt fixes up fetch and lib fetch users.

It is meaningless to run pkg upgrade for stable/11 these days.