mike tancsa
2021-Oct-01 14:31 UTC
openssl patch for RELENG_11 to work around Lets Encrypt work around
I was hoping people with expertise on this issue could chime in about the implications of running with this patch on FreeBSD 11 which I know is now out of support. This patch is inspired from https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig with caveats from https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ --- crypto/openssl/crypto/x509/x509_vpm.c.prev? 2021-10-01 09:16:51.753533000 -0400 +++ crypto/openssl/crypto/x509/x509_vpm.c?????? 2021-10-01 09:19:39.708106000 -0400 @@ -537,7 +537,7 @@ ????? "default",???????????????? /* X509 default parameters */ ????? 0,???????????????????????? /* Check time */ ????? 0,???????????????????????? /* internal flags */ -???? 0,???????????????????????? /* flags */ +???? X509_V_FLAG_TRUSTED_FIRST, /* flags */ ????? 0,???????????????????????? /* purpose */ ????? 0,???????????????????????? /* trust */ ????? 100,?????????????????????? /* depth */ Am I opening myself up to more issues by doing this ? This is however the default on RELENG_12 and above. ---Mike
John-Mark Gurney
2021-Oct-01 22:51 UTC
openssl patch for RELENG_11 to work around Lets Encrypt work around
mike tancsa wrote this message on Fri, Oct 01, 2021 at 10:31 -0400:> I was hoping people with expertise on this issue could chime in about > the implications of running with this patch on FreeBSD 11 which I know > is now out of support. > > This patch is inspired from > > https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig > with caveats from > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > > --- crypto/openssl/crypto/x509/x509_vpm.c.prev? 2021-10-01 > 09:16:51.753533000 -0400 > +++ crypto/openssl/crypto/x509/x509_vpm.c?????? 2021-10-01 > 09:19:39.708106000 -0400 > @@ -537,7 +537,7 @@ > ????? "default",???????????????? /* X509 default parameters */ > ????? 0,???????????????????????? /* Check time */ > ????? 0,???????????????????????? /* internal flags */ > -???? 0,???????????????????????? /* flags */ > +???? X509_V_FLAG_TRUSTED_FIRST, /* flags */ > ????? 0,???????????????????????? /* purpose */ > ????? 0,???????????????????????? /* trust */ > ????? 100,?????????????????????? /* depth */ > > > Am I opening myself up to more issues by doing this ? This is however the default on RELENG_12 and above.I don't think there is any issues with that patch, but I'd recommend you just do workaround 1 in the second link, that is, remove the expired DST X3 cert, and make sure the new ISRG X1 cert is present. Either way, hosts have to be updated to support it, and this method can be done via an update to the ca_root_nss package which is less invasive than the above patch. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."