Date: Fri, 1 Oct 2021 15:51:04 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: mike tancsa <mike@sentex.net> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: openssl patch for RELENG_11 to work around Lets Encrypt work around Message-ID: <20211001225104.GA74427@funkthat.com> In-Reply-To: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net> References: <626bd0ad-e0b9-1f98-9505-663d655fa73d@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
mike tancsa wrote this message on Fri, Oct 01, 2021 at 10:31 -0400: > I was hoping people with expertise on this issue could chime in about > the implications of running with this patch on FreeBSD 11 which I know > is now out of support. > > This patch is inspired from > > https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig > with caveats from > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > --- crypto/openssl/crypto/x509/x509_vpm.c.prev 2021-10-01 > 09:16:51.753533000 -0400 > +++ crypto/openssl/crypto/x509/x509_vpm.c 2021-10-01 > 09:19:39.708106000 -0400 > @@ -537,7 +537,7 @@ > "default", /* X509 default parameters */ > 0, /* Check time */ > 0, /* internal flags */ > - 0, /* flags */ > + X509_V_FLAG_TRUSTED_FIRST, /* flags */ > 0, /* purpose */ > 0, /* trust */ > 100, /* depth */ > > > Am I opening myself up to more issues by doing this ? This is however the default on RELENG_12 and above. I don't think there is any issues with that patch, but I'd recommend you just do workaround 1 in the second link, that is, remove the expired DST X3 cert, and make sure the new ISRG X1 cert is present. Either way, hosts have to be updated to support it, and this method can be done via an update to the ca_root_nss package which is less invasive than the above patch. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20211001225104.GA74427>