Bug 259314 - security/ca_root_nss: still including expired let's encrypt certificate causing issues
Summary: security/ca_root_nss: still including expired let's encrypt certificate causi...
Status: Closed DUPLICATE of bug 258834
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-20 15:13 UTC by Misso Works
Modified: 2022-11-07 09:30 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Misso Works 2021-10-20 15:13:33 UTC
Hello,

Do we know when security/ca_root_nss will simply remove the expired certificate DST Root CA X3 from their bundle?

We're running FreeBSD 12.2 and are using a software stack being exposed to this bug in openssl [1] which is also documented by the guys at TrueNas [2] (because the technology we rely on maintains its own old fork of openssl). Basically, because of this bug in openssl if the expired certificate is present in the trust store, the expired cert is picked instead of the new one, which of course results in a TLS authentication failure. So apps cannot connect to websites and APIs using a let's encrypt certificate... (which represents many endpoints these days).

We're going to keep removing the cert manually for time being but this is not a sustainable solution I'm afraid, it'd be much better if upstream just removed it. How fast are expired certs usually removed from the bundle?

[1]: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
[2]: https://www.truenas.com/community/threads/ssl-certificate-problem-certificate-has-expired-the-openssl-1-0-2-vs-letsencrypt-issue.95874/
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2022-04-27 10:28:32 UTC
^Triage: This appears to be a duplicate of bug 258834, closing accordingly. 

Apologies for the lack of response Misso. Please re-open this issue if the duplicate assessment was incorrect.

*** This bug has been marked as a duplicate of bug 258834 ***
Comment 2 Li-Wen Hsu freebsd_committer freebsd_triage 2022-11-07 09:28:20 UTC
DST Root CA X3 is removed from ca_root_nss since 3.74, and the current version is ports is 3.83.  Where do you see the DST Root CA X3 on your system?  That may come from different place.  BTW, 12.2 is EoL'd, please consider to upgrade to newer supported version which also doesn't suffer from OpenSSL 1.0.2 issue you mentioned.
Comment 3 Li-Wen Hsu freebsd_committer freebsd_triage 2022-11-07 09:30:14 UTC
(In reply to Li-Wen Hsu from comment #2)
Sorry, got notified from an old issue and didn't check the date, but this issue has been resolved already.