port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

Dave Horsfall dave at horsfall.org
Mon Nov 8 02:54:22 UTC 2021

On Sun, 7 Nov 2021, Bill Cole wrote:

>> So I wonder how widespread this problem is?
> The problem in this case is not the existence of the cert in the CA 
> bundle, but the fact that this particular expired cert was used in an 
> alternative validation path and the logic of verification for multi-path 
> certs isn't correct. Normally, expired root CAs should stay in there 
> because that allows positive non-verification of certs supposedly issued 
> by an expired (and maybe compromised) root CA.

Gotcha; thanks.

>> And I'm not happy with those that are set way in the future; I heard 
>> somewhere that 5 years is the recommended max.
> CAs are special. The current limit on server certs is 397 days. I don't 
> think there's a consensus on CA lifetimes because of the conflicting 
> risks of too-short and too-long lives.

One day past a leap year :-)  I don't remember where I saw the 5-year 
recommendation, unfortunately.

-- Dave

More information about the macports-users mailing list