[Bug 258834] security/ca_root_nss: request to remove outdated "DST Root CA X3" cert b/c of collateral damage

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258834

            Bug ID: 258834
           Summary: security/ca_root_nss: request to remove outdated "DST
                    Root CA X3" cert b/c of collateral damage
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: tphilipp@potion-studios.com
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)
          Assignee: ports-secteam@FreeBSD.org

Hello,

since yesterday, the "DST Root CA X3"
(44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b) cert expired, and although
that's in theory not a big deal and normal, it seems to cause problems for
different applications. E.g. unbound fails to verify certs of DoT servers that
use LE certificates. Removing that cert from the bundle fixes the issue. I
think in unbound's case, it is misled in following the wrong chain, so removing
this cert results in a working verification using the certs it actually is
supposed to look at... dunno, sorry for not having analyzed this further.

This is not the ca_root_nss pkgs fault from what I understand, but rather bugs
in different applications, so sorry for opening this PR about ca_root_nss -
however, it's safe to remove the outdated cert, and it'll fix implicitly other
stacks. Other vendors seem to have followed the same approach, e.g. Apple.

more info:
https://old.reddit.com/r/sysadmin/comments/pyzb6s/did_the_lets_encrypt_dst_ca_x3_root_certificate/
https://forum.opnsense.org/index.php?PHPSESSID=0fu9b0q69p7l53agatlc4b0lgk&topic=24950.0

note: there was a release for v3.71, also, yesterday, maybe upstream removed
this themselves

-- 
You are receiving this mail because:
You are the assignee for the bug.