Bug 250681 - certctl(8) blacklisting certificates still shown as trusted
Summary: certctl(8) blacklisting certificates still shown as trusted
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Only Me
Assignee: Kyle Evans
URL: https://reviews.freebsd.org/D28056
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-28 03:22 UTC by corvid
Modified: 2021-01-09 05:29 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description corvid 2020-10-28 03:22:38 UTC
This is in 12.2-RELEASE, which is not an option yet.

I blacklisted some certificates, and "certctl blacklisted" showed them getting blacklisted, but "certctl list" would also still show them. My common sense tells me that I can’t have a certificate trusted and blacklisted at the same time.
Comment 1 Kyle Evans freebsd_committer 2020-10-28 14:59:56 UTC
I think the issue here is that blacklisting a cert does not trigger a rehash, so certctl list won't reflect it until the next rehash. We should make this more proactive and actually remove it from /etc/ssl/certs, though...
Comment 2 corvid 2020-10-28 16:38:08 UTC
When I had tried rehashing yesterday, it would undo my blacklisting. Or at least so it seemed.
Comment 3 Kyle Evans freebsd_committer 2020-10-28 16:51:31 UTC
(In reply to corvid from comment #2)

Oh, oh dear. =(