port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)
Dave Horsfall
dave at horsfall.org
Mon Nov 8 02:54:22 UTC 2021
On Sun, 7 Nov 2021, Bill Cole wrote:
>> So I wonder how widespread this problem is?
>
> The problem in this case is not the existence of the cert in the CA
> bundle, but the fact that this particular expired cert was used in an
> alternative validation path and the logic of verification for multi-path
> certs isn't correct. Normally, expired root CAs should stay in there
> because that allows positive non-verification of certs supposedly issued
> by an expired (and maybe compromised) root CA.
Gotcha; thanks.
>> And I'm not happy with those that are set way in the future; I heard
>> somewhere that 5 years is the recommended max.
>
> CAs are special. The current limit on server certs is 397 days. I don't
> think there's a consensus on CA lifetimes because of the conflicting
> risks of too-short and too-long lives.
One day past a leap year :-) I don't remember where I saw the 5-year
recommendation, unfortunately.
-- Dave
More information about the macports-users
mailing list