[Bug 247044] security/ca_root_nss: Expired AddTrust certificate causes trouble on 11.3-RELEASE-p9

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247044

            Bug ID: 247044
           Summary: security/ca_root_nss: Expired AddTrust certificate
                    causes trouble on 11.3-RELEASE-p9
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam at FreeBSD.org
          Reporter: dev2 at heesakkers.info
             Flags: maintainer-feedback?(ports-secteam at FreeBSD.org)
          Assignee: ports-secteam at FreeBSD.org

ca_root_nss version 3.53 still contains the expired "AddTrust External CA root"
and "AddTrust Class 1 CA Root". As far as I understand it, this shouldn't be a
problem for openssl 1.1 which automatically builds a new required chain, but on
11.3-RELEASE-p9, which uses openssl 1.0, validation will fail.

If you're looking for en example certificate that exhibits this problem:
rtvutrecht dot nl

My solution was to remove the expired certificates from
/usr/local/share/certs/ca-root-nss.crt

I'm not sure whether this should be fixed at the FreeBSD end or the Mozilla
end, I'll leave that to the maintainer to decide.

-- 
You are receiving this mail because:
You are the assignee for the bug.