Bug 254676 - Certificate blacklisted on CURRENT
Summary: Certificate blacklisted on CURRENT
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-31 11:37 UTC by Jochen Neumeister
Modified: 2021-03-31 16:24 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jochen Neumeister freebsd_committer 2021-03-31 11:37:54 UTC
>>> Installing everything completed on Wed Mar 31 11:45:55 CEST 2021
--------------------------------------------------------------
Scanning /usr/share/certs/blacklisted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Skipping blacklisted certificate /usr/share/certs/trusted/AddTrust_External_Root.pem (/etc/ssl/blacklisted/157753a5.0)
Skipping blacklisted certificate /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem (/etc/ssl/blacklisted/861a399d.0)
Skipping blacklisted certificate /usr/share/certs/trusted/EE_Certification_Centre_Root_CA.pem (/etc/ssl/blacklisted/128805a3.0)
Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Global_CA.pem (/etc/ssl/blacklisted/2c543cd1.0)
Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem (/etc/ssl/blacklisted/480720ec.0)
Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem (/etc/ssl/blacklisted/e2799e36.0)
Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Universal_CA.pem (/etc/ssl/blacklisted/ad088e1d.0)
Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem (/etc/ssl/blacklisted/8867006a.0)
Skipping blacklisted certificate /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem (/etc/ssl/blacklisted/def36a68.0)
Skipping blacklisted certificate /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem (/etc/ssl/blacklisted/5c44d531.0)
Skipping blacklisted certificate /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/blacklisted/62744ee1.0)
Skipping blacklisted certificate /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/blacklisted/4d4ba017.0)
Skipping blacklisted certificate /usr/share/certs/trusted/Taiwan_GRCA.pem (/etc/ssl/blacklisted/6410666e.0)
Skipping blacklisted certificate /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/blacklisted/7d0b38bd.0)
Skipping blacklisted certificate /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem (/etc/ssl/blacklisted/b204d74a.0)
Skipping blacklisted certificate /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem (/etc/ssl/blacklisted/c0ff1f52.0)
Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA.pem (/etc/ssl/blacklisted/2e4eed3c.0)
Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem (/etc/ssl/blacklisted/c089bbbd.0)
Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem (/etc/ssl/blacklisted/ba89ed3b.0)
Scanning /usr/local/share/certs for certificates...
root@joneumbox:/usr/src # uname -a
FreeBSD joneumbox.org 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-51cc31088: Tue Mar 30 16:52:21 CEST 2021     root@joneumbox.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG  amd64


cmt give this news about this error on the ML: https://lists.freebsd.org/pipermail/freebsd-current/2021-March/079317.html

Various reasons:
- Symantec (which owned Thawte and VeriSign back in the time) made
  the news in a bad way:
  https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/
- some certificates are simply expired
- some certificates use SHA-1 ("sha1WithRSAEncryption") which is
  beyond deprecated
- and basically "whatever Mozilla did", as the certificates are
  imported from NSS.


How can we proceed here to solve the problem? Can the certificates simply be deleted from /usr/share/certs/trusted/*?
Comment 1 Kyle Evans freebsd_committer 2021-03-31 15:28:55 UTC
> How can we proceed here to solve the problem? Can the certificates simply be deleted from /usr/share/certs/trusted/*?

What's the actual problem you're encountering? They cannot simple be deleted, no.
Comment 2 Jochen Neumeister freebsd_committer 2021-03-31 16:20:35 UTC
(In reply to Kyle Evans from comment #1)

Yes, and how to deal with the problem when I can not delete these blacklist certificates? I think other people may have the same problem.
Comment 3 Kyle Evans freebsd_committer 2021-03-31 16:24:24 UTC
(In reply to Jochen Neumeister from comment #2)

I'm still not sure what problem we're even trying to address here. Blacklisting is part of the natural process, they'll age out of there eventually.