[oi-dev] crypto/ca-certificates

Fri Oct 29 17:01:19 UTC 2021

At Mozilla they replied that they plan to fix this in December.

https://bugzilla.mozilla.org/show_bug.cgi?id=1733003

What could work as a temporary workaround is to patch the certdata.txt file

$ pkg list ca-certificates                               
NAME (PUBLISHER)                                  VERSION                    IFO
crypto/ca-certificates (userland)                 3.71-2020.0.1.1            i--

This is a COMPONENT_REVISION=1 update to the 3.71 package with a patch

  patches/01-DST_Root_CA_X3.patch

--- nss-3.71.orig/nss/lib/ckfw/builtins/certdata.txt    Fri Oct 29 18:32:43 2021
+++ nss-3.71/nss/lib/ckfw/builtins/certdata.txt Fri Oct 29 18:33:34 2021
@@ -3113,136 +3113,6 @@
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "DST Root CA X3"
-#

where the DST Root CA X3 is removed from certdata.txt


I am not sure whether this is all that is necessary, but it seems to work for me.

The package builds fine and the 2 lines for DST Root CA X3 (file and link) are removed from the sample manifest and when updating the manifest to simply remove the DST Root CA X3 all seems fine.

Because this is necessary to connect in Squeak Smalltalk to

   https://squeak.org

it would be nice to get rid of the expired certificate.


However on the other hand, this is not at all urgent , and it is easy to fix locally.


So instead of patching OpenIndiana I think instead of a temporary workaround and patch,
it is safest to wait for Mozilla NSS to be changed/updated,
and then follow Mozilla NSS unpatched in December 2021.

Regards,
David Stes


