openssl patch for RELENG_11 to work around Lets Encrypt work around
mike tancsa
mike at sentex.net
Fri Oct 1 14:31:07 UTC 2021
I was hoping people with expertise on this issue could chime in about
the implications of running with this patch on FreeBSD 11 which I know
is now out of support.
This patch is inspired from
https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig
with caveats from
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
--- crypto/openssl/crypto/x509/x509_vpm.c.prev 2021-10-01
09:16:51.753533000 -0400
+++ crypto/openssl/crypto/x509/x509_vpm.c 2021-10-01
09:19:39.708106000 -0400
@@ -537,7 +537,7 @@
"default", /* X509 default parameters */
0, /* Check time */
0, /* internal flags */
- 0, /* flags */
+ X509_V_FLAG_TRUSTED_FIRST, /* flags */
0, /* purpose */
0, /* trust */
100, /* depth */
Am I opening myself up to more issues by doing this ? This is however the default on RELENG_12 and above.
---Mike
More information about the freebsd-security
mailing list