port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

Bill Cole macportsusers-20171215 at billmail.scconsult.com
Mon Nov 8 01:42:01 UTC 2021

On 2021-11-07 at 16:29:30 UTC-0500 (Mon, 8 Nov 2021 08:29:30 +1100 
Dave Horsfall <dave at horsfall.org>
is rumored to have said:

> On Sun, 7 Nov 2021, Bill Cole wrote:
>> I have my own Mojave machines working without a problem after 
>> removing the bad certificate from /etc/ssl/cert.pem. The one that 
>> starts like this:
> [...]
> Intrigued, I checked my own:
>     mackie:~ dave$ grep "Not After" /etc/ssl/cert.pem
[... many dates snipped ...]
> So I wonder how widespread this problem is?

The problem in this case is not the existence of the cert in the CA 
bundle, but the fact that this particular expired cert was used in an 
alternative validation path and the logic of verification for multi-path 
certs isn't correct. Normally, expired root CAs should stay in there 
because that allows positive non-verification of certs supposedly issued 
by an expired (and maybe compromised) root CA.

> And I'm not happy with those that are set way in the future; I heard 
> somewhere that 5 years is the recommended max.

CAs are special. The current limit on server certs is 397 days. I don't 
think there's a consensus on CA lifetimes because of the conflicting 
risks of too-short and too-long lives.

Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

More information about the macports-users mailing list