Re: openssl patch for RELENG_11 to work around Lets Encrypt work around

Mon, 04 Oct 2021 06:44:27 -0700 

On 10/1/2021 6:51 PM, John-Mark Gurney wrote:
> mike tancsa wrote this message on Fri, Oct 01, 2021 at 10:31 -0400:
>> I was hoping people with expertise on this issue could chime in about
>> the implications of running with this patch on FreeBSD 11 which I know
>> is now out of support.
>>
>> This patch is inspired from
>>
>> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/032_cert.patch.sig
>> with caveats from
>> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>>
>> --- crypto/openssl/crypto/x509/x509_vpm.c.prev  2021-10-01
>> 09:16:51.753533000 -0400
>> +++ crypto/openssl/crypto/x509/x509_vpm.c       2021-10-01
>> 09:19:39.708106000 -0400
>> @@ -537,7 +537,7 @@
>>       "default",                 /* X509 default parameters */
>>       0,                         /* Check time */
>>       0,                         /* internal flags */
>> -     0,                         /* flags */
>> +     X509_V_FLAG_TRUSTED_FIRST, /* flags */
>>       0,                         /* purpose */
>>       0,                         /* trust */
>>       100,                       /* depth */
>>
>>
>> Am I opening myself up to more issues by doing this ? This is however the 
>> default on RELENG_12 and above.
> I don't think there is any issues with that patch, but I'd recommend you
> just do workaround 1 in the second link, that is, remove the expired DST
> X3 cert, and make sure the new ISRG X1 cert is present.
>
> Either way, hosts have to be updated to support it, and this method
> can be done via an update to the ca_root_nss package which is less
> invasive than the above patch.

I guess the one challenge is that I need to update the future updates. 
pkg upgrade will fetch the latest ca_root_nss: 3.69 -> 3.69_1 again,
which has the problematic cert. I then need to patch again. I wonder if
this is why OpenBSD just went the flags way ?  Granted, this is
RELENG_11 which is out of support now anyways.  But for the archives,
removing the cert via the attached patch and making sure
/usr/local/etc/ssl/cert.pem points to
/usr/local/share/certs/ca-root-nss.crt fixes up fetch and lib fetch users.


    ---Mike



# diff -u /usr/local/share/certs/ca-root-nss.crt.prev 
/usr/local/share/certs/ca-root-nss.crt
--- /usr/local/share/certs/ca-root-nss.crt.prev 2021-10-04 09:31:27.275299000 
-0400
+++ /usr/local/share/certs/ca-root-nss.crt      2021-09-30 10:54:36.000000000 
-0400
@@ -4178,88 +4178,6 @@
 -----END CERTIFICATE-----
 
 
-
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
-        Validity
-            Not Before: Sep 30 21:12:19 2000 GMT
-            Not After : Sep 30 14:01:15 2021 GMT
-        Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90:
-                    82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40:
-                    c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93:
-                    ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2:
-                    2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89:
-                    a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14:
-                    30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80:
-                    65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec:
-                    52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09:
-                    8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd:
-                    70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6:
-                    30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c:
-                    92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72:
-                    d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97:
-                    eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15:
-                    02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83:
-                    69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0:
-                    02:5d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
-    Signature Algorithm: sha1WithRSAEncryption
-         a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f:
-         4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b:
-         a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3:
-         20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd:
-         b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94:
-         3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9:
-         dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce:
-         e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf:
-         0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52:
-         67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31:
-         85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64:
-         63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65:
-         b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77:
-         96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d:
-         82:35:35:10
-SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
-
-
-
 Certificate:
     Data:
         Version: 3 (0x2)

_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Reply via email to