Re: Blacklisted certificates

From: Jochen Neumeister <joneum_at_FreeBSD.org>
Date: Wed, 31 Mar 2021 16:19:44 +0200
Am 31.03.21 um 14:24 schrieb Ronald Klop:
>
> Van: Jochen Neumeister <joneum_at_FreeBSD.org>
> Datum: woensdag, 31 maart 2021 13:26
> Aan: Christoph Moench-Tegeder <cmt_at_burggraben.net>, 
> freebsd-current_at_freebsd.org
> Onderwerp: Re: Blacklisted certificates
>>
>>
>> Am 31.03.21 um 13:02 schrieb Christoph Moench-Tegeder:
>> > ## Jochen Neumeister (joneum_at_FreeBSD.org):
>> >
>> >> Why are this certificates blacklisted?
>> > Various reasons:
>> > - Symantec (which owned Thawte and VeriSign back in the time) made
>> >    the news in a bad way:
>> > 
>> https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/
>> > - some certificates are simply expired
>> > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is
>> >    beyond deprecated
>> > - and basically "whatever Mozilla did", as the certificates are
>> >    imported from NSS.
>>
>> how can I ignore the certificates now? So now everyone has this 
>> problem with an update
>>
>>
>> Greetings
>> Jochen
>>
>> _______________________________________________
>> freebsd-current_at_freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> To unsubscribe, send any mail to 
>> "freebsd-current-unsubscribe_at_freebsd.org"
>>
>>
>>
>
> Hi,
>
> This is the proper output of installworld. So you don't have to ignore 
> anything anymore. It is handled by installworld.
>

in the next step etcupdate has another problem. I have to delete the 
blacklist certificates manually.

#cd /usr/src && etcupdate
Conflicts remain from previous update, aborting.


Greetings
Jochen
Received on Wed Mar 31 2021 - 12:19:52 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC