I was hoping people with expertise on this issue could chime in about the implications of running with this patch on FreeBSD 11 which I know is now out of support.
This patch is inspired from https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig with caveats from https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ --- crypto/openssl/crypto/x509/x509_vpm.c.prev 2021-10-01 09:16:51.753533000 -0400 +++ crypto/openssl/crypto/x509/x509_vpm.c 2021-10-01 09:19:39.708106000 -0400 @@ -537,7 +537,7 @@ "default", /* X509 default parameters */ 0, /* Check time */ 0, /* internal flags */ - 0, /* flags */ + X509_V_FLAG_TRUSTED_FIRST, /* flags */ 0, /* purpose */ 0, /* trust */ 100, /* depth */ Am I opening myself up to more issues by doing this ? This is however the default on RELENG_12 and above. ---Mike _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"