Bug 247044 - security/ca_root_nss: Expired AddTrust certificate causes trouble on 11.3-RELEASE-p9
Summary: security/ca_root_nss: Expired AddTrust certificate causes trouble on 11.3-REL...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-07 12:57 UTC by Oliver Heesakkers
Modified: 2020-08-01 23:20 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Heesakkers 2020-06-07 12:57:36 UTC 
ca_root_nss version 3.53 still contains the expired "AddTrust External CA root" and "AddTrust Class 1 CA Root". As far as I understand it, this shouldn't be a problem for openssl 1.1 which automatically builds a new required chain, but on 11.3-RELEASE-p9, which uses openssl 1.0, validation will fail.

If you're looking for en example certificate that exhibits this problem: rtvutrecht dot nl

My solution was to remove the expired certificates from /usr/local/share/certs/ca-root-nss.crt

I'm not sure whether this should be fixed at the FreeBSD end or the Mozilla end, I'll leave that to the maintainer to decide.
Comment 1 Oliver Heesakkers 2020-08-01 23:20:09 UTC 
Certs were removed in NSS 3.54