From nobody Sun Oct 08 23:33:45 2023 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S3dlx56F9z4wF8c for ; Sun, 8 Oct 2023 23:34:05 +0000 (UTC) (envelope-from areilly@bigpond.net.au) Received: from exhmta20.bpe.bigpond.com (exhmta20.bpe.bigpond.com [203.42.40.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S3dlt3tqVz4tdK; Sun, 8 Oct 2023 23:34:01 +0000 (UTC) (envelope-from areilly@bigpond.net.au) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bigpond.net.au header.s=202303 header.b="iM/9OLK "; spf=pass (mx1.freebsd.org: domain of areilly@bigpond.net.au designates 203.42.40.164 as permitted sender) smtp.mailfrom=areilly@bigpond.net.au; dmarc=pass (policy=reject) header.from=bigpond.net.au DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bigpond.net.au; s=202303; h=To:Date:Message-Id:Subject:Mime-Version: Content-Type:From; bh=7whN+B+urC6ZoJ7VD70eEeAks7LvwtN4uJlZuaCZ8wo=; b=iM/9OLK CnBrAAWQrrO6GT6L0C2Nd4XPdrp2k/FPE/f4ly7bkL83WMxlCZ8WMkxknNlO6SY35hJ5rkXjUlL5a ZRFVckppnf7cMA02Az35/LAa0BYxvgre7kBAfPAxdCYmm6e7J+fdEvJFJiZx1DaAW/JIo+w7JrVbn gHl1D3sYCLA1TWU15C4qp+KmguPzs0jrkYnYrrMsl+5Jtnh24eyk8DXzp4VSWgi228ojq+WGMXnIi UCFWn3r4NeZv3W27jrwPOYv9Gj/0MtMu2EirrlP6c0GLstTfJ1T4s5CHtXItpzvlF2zq72BSW7N3t cAy6//Zl0Yd2vb0KWc/6lG4MdsA==; Received: from exhprdcmr12 by exhprdomr20 with esmtp (envelope-from ) id 1qpdHZ-0003qe-1H for ; Mon, 09 Oct 2023 10:33:57 +1100 Received: from [121.223.155.16] (helo=smtpclient.apple) by exhprdcmr12 with esmtpa (envelope-from ) id 1qpdHZ-00017P-0f; Mon, 09 Oct 2023 10:33:57 +1100 From: Andrew Reilly Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\)) Subject: Change to installation of security/ca_root_nss seems to have broken my mail? Message-Id: <0F710F4D-FE91-4B88-8ADB-8D98379E95B1@bigpond.net.au> Date: Mon, 9 Oct 2023 10:33:45 +1100 Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-stable@freebsd.org, security@freebsd.org X-Mailer: Apple Mail (2.3774.100.2.1.4) X-tce-id: areilly@bigpond.net.au X-tce-ares-id: e{03dc23e6-ae76-4ebd-8e05-c0996a6a3031}1 X-tce-spam-action: no action X-tce-spam-score: 0.0 X-Cm-Analysis: v=2.4 cv=GbnR3ybL c=1 sm=1 tr=0 ts=65233c65 a=g7JjhvAvvPZ9ycLFhywHJA==:117 a=g7JjhvAvvPZ9ycLFhywHJA==:17 a=82bfCIg-0F7sWS62:21 a=kj9zAlcOel0A:10 a=bhdUkHdE2iEA:10 a=IzOhgYWHAAAA:8 a=FKY7v4bjAAAA:8 a=6I5d2MoRAAAA:8 a=5luJbs9T8tFAYQKl0CkA:9 a=CjuIK1q_8ugA:10 a=eMKpbHEEDmzIGCaig7Sg:22 a=IjZwj45LgO3ly-622nXo:22 a=wTPEw03mt57gkTNY_DXp:22 X-Cm-Envelope: MS4xfHd+4gvRnDTa811R16M7kvq8MJsN1iOcbuzrIwhv6gLpHg3KgufPNMbS/eY9KLtrk1Zcfak8PBsUUtMp13hX1G5a1NnS2dZD1kmVQM/G4TQtwtLI9w7M PUkxh5b09BT0R0TrPDRUBIzRfN6/NamxOKMuE/OQSQnYWVWD0vbCRu+KLIFp7cM99hg8OAz3qVb1qw== X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.49 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; NEURAL_HAM_SHORT(-0.99)[-0.988]; DMARC_POLICY_ALLOW(-0.50)[bigpond.net.au,reject]; MV_CASE(0.50)[]; R_DKIM_ALLOW(-0.20)[bigpond.net.au:s=202303]; R_SPF_ALLOW(-0.20)[+ip4:203.42.40.128/25]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_IN_DNSWL_NONE(0.00)[203.42.40.164:from]; ARC_NA(0.00)[]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[bigpond.net.au:+]; FREEMAIL_FROM(0.00)[bigpond.net.au]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[bigpond.net.au]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4S3dlt3tqVz4tdK Hi all, I've had security/openssl31 installed for many months, and all dependent = ports rebuilt against it, (with ssl=3Dopenssl31 in DEFAULT_VERSIONS) so = that I could keep an eye on what might have issues with it, assuming an eventual change to the 3-series in base. And maybe it's more secure, = given that it's had a pile of extra work done to it, while 1.1.1... is = in maintenance. Up to this weekend, everything has been great. One of the applications that I use that depends on openssl is = mail/fetchmail, which I use to retrieve mail from my ISP's IMAP server = at imap.telstra.com:993. Coincident with updating the security/ca_root_nss port, fetchmail = started to complain that the imap server was using a self-signed = certificat in its chain: Oct 7 09:09:52 zen fetchmail[3770]: Server certificate verification = error: self-signed certificate in certificate chain Oct 7 09:09:52 zen fetchmail[3770]: Missing trust anchor certificate: = /C=3DUS/O=3DDigiCert Inc/OU=3Dwww.digicert.com/CN=3DDigiCert Global Root = CA Oct 7 09:09:52 zen fetchmail[3770]: This could mean that the root CA's = signing certificate is not in the trusted CA certificate location, or = that c_rehash needs to be run on the certificate directory. For details, = please see the documentation of --sslcertpath and --sslcertfile in the = manual page. See README.SSL for details. Oct 7 09:09:52 zen fetchmail[3770]: OpenSSL reported: = error:0A000086:SSL routines::certificate verify failed Oct 7 09:09:52 zen fetchmail[3770]: imap.telstra.com: SSL connection = failed. After some head-scratching, I rebuilt fetchmail manually so that it was = configured to use the openssl1.1.1w in base, rather than the port, and = now it works again. I haven't been able to figure out why. I've tried rebuilding openssl31 with all of the optional (deprecated) = pieces turned on, on the suspicion that Telstra must be using something = dodgy, but their certificate does not seem to have changed recently, and = does not look especially dodgy to me: it seems to be signed by the DigiCert = Global CA. Looking at the timing of the failure and what changed at that point, I = can now see that it was not openssl31 as such, but security/ca_root_nss = that changed, and it did not change by upstream version, just by port = version, due to a change in the way that it is installed: = https://reviews.freebsd.org/D42045 Does anyone have any thoughts about why this change would have broken = this very specific thing, and perhaps what I can do about it? Cheers, Andrew