From nobody Mon Oct 09 01:07:20 2023 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S3gqt5L5Vz4wW30 for ; Mon, 9 Oct 2023 01:07:38 +0000 (UTC) (envelope-from areilly@bigpond.net.au) Received: from exhmta09.bpe.bigpond.com (exhmta09.bpe.bigpond.com [203.42.40.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S3gqr12zXz3NcJ; Mon, 9 Oct 2023 01:07:35 +0000 (UTC) (envelope-from areilly@bigpond.net.au) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bigpond.net.au header.s=202303 header.b=ew+umEi6; spf=pass (mx1.freebsd.org: domain of areilly@bigpond.net.au designates 203.42.40.153 as permitted sender) smtp.mailfrom=areilly@bigpond.net.au; dmarc=pass (policy=reject) header.from=bigpond.net.au DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bigpond.net.au; s=202303; h=To:Date:Subject:Mime-Version:Content-Type: Message-Id:From; bh=G8dIcqlKhX37SJE31HBeJW24jWf0rkZPY/pSPts6wkM=; b=ew+umEi6N uq4F6PfGmVeULO9c1/vhTQU0YNtZxzI1RXYURLuOGucsasJTzyg7rhqwJRSP+qMaWonGUz74/fm2c tc77v2py1kVvZZViCy/cOGWCF6xQBQY/iYG+Mq64N90SvnVnasnv390+d4lMqO68tF+E2+Ix2QTYo NfoTCxg5ATrP0QWf10urF2QYdsTqPZYQGJARHDBWzspQ4muZeniuVGLc9YronsZtDNXdo0iXAx9BV mJmvSMZG17in6XOZbrk9aexktRAwiq6NlYRo06vTDuvLbYHSrJIJiQ3OgVaC21khiTdsaLf8SZg6f vxfn2Tys4+u4+62+bUcVOiJlQ==; Received: from exhprdcmr12 by exhprdomr09 with esmtp (envelope-from ) id 1qpek8-000Dsw-0P for ; Mon, 09 Oct 2023 12:07:32 +1100 Received: from [121.223.155.16] (helo=smtpclient.apple) by exhprdcmr12 with esmtpa (envelope-from ) id 1qpek7-0003sV-39; Mon, 09 Oct 2023 12:07:32 +1100 From: Andrew Reilly Message-Id: <558CB491-D27A-4B3D-80CB-FE3ECBD17167@bigpond.net.au> Content-Type: multipart/alternative; boundary="Apple-Mail=_4E41C694-7252-4CF7-AE72-B19705FB889E" List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\)) Subject: Re: Change to installation of security/ca_root_nss seems to have broken my mail? Date: Mon, 9 Oct 2023 12:07:20 +1100 In-Reply-To: <0F710F4D-FE91-4B88-8ADB-8D98379E95B1@bigpond.net.au> Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-stable@freebsd.org, security@freebsd.org References: <0F710F4D-FE91-4B88-8ADB-8D98379E95B1@bigpond.net.au> X-Mailer: Apple Mail (2.3774.100.2.1.4) X-tce-id: areilly@bigpond.net.au X-tce-ares-id: e{fbbe7aca-bb81-4cd2-bff9-5e091ea31fa8}1 X-tce-spam-action: no action X-tce-spam-score: 0.0 X-Cm-Analysis: v=2.4 cv=GbnR3ybL c=1 sm=1 tr=0 ts=65235254 a=g7JjhvAvvPZ9ycLFhywHJA==:117 a=g7JjhvAvvPZ9ycLFhywHJA==:17 a=82bfCIg-0F7sWS62:21 a=bhdUkHdE2iEA:10 a=6I5d2MoRAAAA:8 a=Sv2sojjTAAAA:8 a=IzOhgYWHAAAA:8 a=FKY7v4bjAAAA:8 a=X7RQYMLZx4P74dPfva4A:9 a=CjuIK1q_8ugA:10 a=wJE93UmOUp8IdplB:21 a=_W_S_7VecoQA:10 a=IjZwj45LgO3ly-622nXo:22 a=eMKpbHEEDmzIGCaig7Sg:22 a=wTPEw03mt57gkTNY_DXp:22 X-Cm-Envelope: MS4xfOWqb6KkGK4pc57cZ2ACQK8d+YzodTnIePQ7laXSTtSHumuOIIQ2cCnWybcl45yHYKszf0eX7baMa06E1btNLJ0mQnwhwg7iEC+WFOlTiA3E5AN/pqAE fU2QlHQ27MovqT9l0oZncOflCyw5aXiOVKWBqydlexSET2gIw8t0w8rEzcKbpi+ndd59S4GO0dUwJg== X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.48 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.98)[-0.980]; DMARC_POLICY_ALLOW(-0.50)[bigpond.net.au,reject]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:203.42.40.128/25]; R_DKIM_ALLOW(-0.20)[bigpond.net.au:s=202303]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_IN_DNSWL_NONE(0.00)[203.42.40.153:from]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[bigpond.net.au:+]; FREEMAIL_FROM(0.00)[bigpond.net.au]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[bigpond.net.au]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4S3gqr12zXz3NcJ --Apple-Mail=_4E41C694-7252-4CF7-AE72-B19705FB889E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi again, I just noticed that the bottom of that reviews link includes a reference = to this one: = https://reviews.freebsd.org/R11:52e0c40367d3ebd09ab7169e025c37fbf70b8dee and that restores the symlinks and bumps the port revision up to 2. I've just updated my ports tree to catch that and rebuilt both = security/ca_root_nss and mail/fetchmail and can (happily) confirm that = this has fixed the problem for me. So I guess that security/openssl31 = is one of the ports that relies on the previous symlink. Cheers, Andrew > On 9 Oct 2023, at 10:33, Andrew Reilly wrote: >=20 > Hi all, >=20 > I've had security/openssl31 installed for many months, and all = dependent ports rebuilt against it, (with ssl=3Dopenssl31 in = DEFAULT_VERSIONS) so that I could keep an eye on what might have issues = with it, assuming an > eventual change to the 3-series in base. And maybe it's more secure, = given that it's had a pile of extra work done to it, while 1.1.1... is = in maintenance. Up to this weekend, everything has been great. >=20 > One of the applications that I use that depends on openssl is = mail/fetchmail, which I use to retrieve mail from my ISP's IMAP server = at imap.telstra.com:993. >=20 > Coincident with updating the security/ca_root_nss port, fetchmail = started to complain that the imap server was using a self-signed = certificat in its chain: >=20 > Oct 7 09:09:52 zen fetchmail[3770]: Server certificate verification = error: self-signed certificate in certificate chain > Oct 7 09:09:52 zen fetchmail[3770]: Missing trust anchor certificate: = /C=3DUS/O=3DDigiCert Inc/OU=3Dwww.digicert.com/CN=3DDigiCert Global Root = CA > Oct 7 09:09:52 zen fetchmail[3770]: This could mean that the root = CA's signing certificate is not in the trusted CA certificate location, = or that c_rehash needs to be run on the certificate directory. For = details, please see the documentation of --sslcertpath and --sslcertfile = in the manual page. See README.SSL for details. > Oct 7 09:09:52 zen fetchmail[3770]: OpenSSL reported: = error:0A000086:SSL routines::certificate verify failed > Oct 7 09:09:52 zen fetchmail[3770]: imap.telstra.com: SSL connection = failed. >=20 > After some head-scratching, I rebuilt fetchmail manually so that it = was configured to use the openssl1.1.1w in base, rather than the port, = and now it works again. I haven't been able to figure out why. >=20 > I've tried rebuilding openssl31 with all of the optional (deprecated) = pieces turned on, on the suspicion that Telstra must be using something = dodgy, but their certificate does not seem to have changed recently, and = does > not look especially dodgy to me: it seems to be signed by the DigiCert = Global CA. >=20 > Looking at the timing of the failure and what changed at that point, I = can now see that it was not openssl31 as such, but security/ca_root_nss = that changed, and it did not change by upstream version, just by port = version, > due to a change in the way that it is installed: = https://reviews.freebsd.org/D42045 >=20 > Does anyone have any thoughts about why this change would have broken = this very specific thing, and perhaps what I can do about it? >=20 > Cheers, >=20 > Andrew >=20 --Apple-Mail=_4E41C694-7252-4CF7-AE72-B19705FB889E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Hi = again,

I just noticed that the bottom of that reviews = link includes a reference to this one: https://reviews.freebsd.org/R11:52e0c40367d3ebd09ab7169e025c37fbf7= 0b8dee
and that restores the symlinks and bumps the port = revision up to 2.

I've just updated my ports = tree to catch that and rebuilt both security/ca_root_nss and = mail/fetchmail and can (happily) confirm that this has fixed the problem = for me.  So I guess that security/openssl31 is one of the ports = that relies on the previous = symlink.

Cheers,

Andrew<= /div>



On 9 Oct 2023, at 10:33, Andrew Reilly = <areilly@bigpond.net.au> wrote:

Hi all,

I've had = security/openssl31 installed for many months, and all dependent ports = rebuilt against it, (with ssl=3Dopenssl31 in DEFAULT_VERSIONS) so that I = could keep an eye on what might have issues with it, assuming = an
eventual change to the 3-series in base.  And maybe it's more = secure, given that it's had a pile of extra work done to it, while = 1.1.1... is in maintenance.  Up to this weekend, everything has = been great.

One of the applications that I use that depends on = openssl is mail/fetchmail, which I use to retrieve mail from my ISP's = IMAP server at imap.telstra.com:993.

Coincident with updating the = security/ca_root_nss port, fetchmail started to complain that the imap = server was using a self-signed certificat in its chain:

Oct =  7 09:09:52 zen fetchmail[3770]: Server certificate verification = error: self-signed certificate in certificate chain
Oct  7 = 09:09:52 zen fetchmail[3770]: Missing trust anchor certificate: = /C=3DUS/O=3DDigiCert Inc/OU=3Dwww.digicert.com/CN=3DDigiCert Global Root = CA
Oct  7 09:09:52 zen fetchmail[3770]: This could mean that the = root CA's signing certificate is not in the trusted CA certificate = location, or that c_rehash needs to be run on the certificate directory. = For details, please see the documentation of --sslcertpath and = --sslcertfile in the manual page. See README.SSL for details.
Oct =  7 09:09:52 zen fetchmail[3770]: OpenSSL reported: = error:0A000086:SSL routines::certificate verify failed
Oct  7 = 09:09:52 zen fetchmail[3770]: imap.telstra.com: SSL connection = failed.

After some head-scratching, I rebuilt fetchmail manually = so that it was configured to use the openssl1.1.1w in base, rather than = the port, and now it works again.  I haven't been able to figure = out why.

I've tried rebuilding openssl31 with all of the optional = (deprecated) pieces turned on, on the suspicion that Telstra must be = using something dodgy, but their certificate does not seem to have = changed recently, and does
not look especially dodgy to me: it seems = to be signed by the DigiCert Global CA.

Looking at the timing of = the failure and what changed at that point, I can now see that it was = not openssl31 as such, but security/ca_root_nss that changed, and it did = not change by upstream version, just by port version,
due to a change = in the way that it is installed: = https://reviews.freebsd.org/D42045

Does anyone have any thoughts = about why this change would have broken this very specific thing, and = perhaps what I can do about = it?

Cheers,

Andrew

= --Apple-Mail=_4E41C694-7252-4CF7-AE72-B19705FB889E--