[oi-dev] crypto/ca-certificates
stes@PANDORA.BE
stes at telenet.be
Fri Oct 29 17:01:19 UTC 2021
At Mozilla they replied that they plan to fix this in December.
https://bugzilla.mozilla.org/show_bug.cgi?id=1733003
What could work as a temporary workaround is to patch the certdata.txt file
$ pkg list ca-certificates
NAME (PUBLISHER) VERSION IFO
crypto/ca-certificates (userland) 3.71-2020.0.1.1 i--
This is a COMPONENT_REVISION=1 update to the 3.71 package with a patch
patches/01-DST_Root_CA_X3.patch
--- nss-3.71.orig/nss/lib/ckfw/builtins/certdata.txt Fri Oct 29 18:32:43 2021
+++ nss-3.71/nss/lib/ckfw/builtins/certdata.txt Fri Oct 29 18:33:34 2021
@@ -3113,136 +3113,6 @@
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
-# Certificate "DST Root CA X3"
-#
where the DST Root CA X3 is removed from certdata.txt
I am not sure whether this is all that is necessary, but it seems to work for me.
The package builds fine and the 2 lines for DST Root CA X3 (file and link) are removed from the sample manifest and when updating the manifest to simply remove the DST Root CA X3 all seems fine.
Because this is necessary to connect in Squeak Smalltalk to
https://squeak.org
it would be nice to get rid of the expired certificate.
However on the other hand, this is not at all urgent , and it is easy to fix locally.
So instead of patching OpenIndiana I think instead of a temporary workaround and patch,
it is safest to wait for Mozilla NSS to be changed/updated,
and then follow Mozilla NSS unpatched in December 2021.
Regards,
David Stes
More information about the oi-dev
mailing list