[oi-dev] crypto/ca-certificates
stes@PANDORA.BE
stes at telenet.be
Fri Oct 29 12:42:02 UTC 2021
> Red Hat's approach was to remove 'DST Root CA X3' from their packaged
> ca-certificates bundle.
>
> https://access.redhat.com/articles/6338021
>
> I'm not certain how other popular Linux distros have addressed it, but
> only a few distros do long-term support, so those would be the ones most
> impacted by it.
Somebody created a bugzilla entry for the issue at mozilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=1733560
DST X3 expired sep 2021
The current nss-3.72 still has the entries:
./nss-3.72/nss/lib/ckfw/builtins/certdata.txt
Perhaps they may remove the expired certificate for nss-3.73, who knows ...
For the moment - as long as the upstream nss package still has the expired certificates - an OpenIndiana upgrade of ca-certificates will not help , unless the package is patched to exclude the problem certificate.
However in this case it seems safer to just wait for 'upstream' mozilla.org decision.
Also note that
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
writes:
The next release of OpenSSL 1.0.2 (1.0.2zb - available to premium support customers only) will make it possible to build the release with added -DOPENSSL_TRUSTED_FIRST_DEFAULT on the build configuration command line. That will make the -trusted_first option enabled by default by the OpenSSL library.
So an upgrade of OpenIndiana openssl 1.0.2 to 1.0.2zb if that is possible could be another approach.
This seems an example of an issue where multiple approaches/solutions exist.
For the moment on my machine, I can simply remove the certificate myself, and that works.
So if mozilla.org will react/act on the bug report 1733560 then the situation may change.
Regards,
David Stes
More information about the oi-dev
mailing list