port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)
Bill Cole
macportsusers-20171215 at billmail.scconsult.com
Mon Nov 8 01:42:01 UTC 2021
On 2021-11-07 at 16:29:30 UTC-0500 (Mon, 8 Nov 2021 08:29:30 +1100
(EST))
Dave Horsfall <dave at horsfall.org>
is rumored to have said:
> On Sun, 7 Nov 2021, Bill Cole wrote:
>
>> I have my own Mojave machines working without a problem after
>> removing the bad certificate from /etc/ssl/cert.pem. The one that
>> starts like this:
>
> [...]
>
> Intrigued, I checked my own:
>
> mackie:~ dave$ grep "Not After" /etc/ssl/cert.pem
>
[... many dates snipped ...]
> So I wonder how widespread this problem is?
The problem in this case is not the existence of the cert in the CA
bundle, but the fact that this particular expired cert was used in an
alternative validation path and the logic of verification for multi-path
certs isn't correct. Normally, expired root CAs should stay in there
because that allows positive non-verification of certs supposedly issued
by an expired (and maybe compromised) root CA.
> And I'm not happy with those that are set way in the future; I heard
> somewhere that 5 years is the recommended max.
CAs are special. The current limit on server certs is 397 days. I don't
think there's a consensus on CA lifetimes because of the conflicting
risks of too-short and too-long lives.
--
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
More information about the macports-users
mailing list