| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
MFC after: 1 week
Reviewed by: mandree, markj
Differential Revision: https://reviews.freebsd.org/D51775
|
| |
|
|
|
|
|
|
|
|
| |
Until now, the untrusted directory has been maintained manually. Modify
the script used to maintain the trusted directory so it can handle both.
While here, clean it up a bit.
MFC after: 1 week
Reviewed by: mandree, markj
Differential Revision: https://reviews.freebsd.org/D51774
|
| |
|
|
|
|
|
|
|
|
|
| |
Mozilla has migrated its projects' source code to GitHub, update certdata URL
along with it.
Reference: https://github.com/curl/curl/pull/17321
Reviewed by: jrm (mentor), otis (mentor), kevans
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D50575
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary:
- Seven (7) new roots
- Four (4) distrusted roots
- Fifteen (15) removed (expired) roots
Reviewed by: kevans
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49294
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
a CA certificate will be distrusted in the future before its NotAfter time.
This means that the CA stops issuing new certificates, but previous ones are
still valid, but at most for 398 days after the distrust date.
See also:
* https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
* https://github.com/Lukasa/mkcert/issues/19
* https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
* https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c
Tested by: michaelo
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49075
|
| |
|
|
|
|
|
| |
This is a residual of the $FreeBSD$ removal.
MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
|
| |
|
|
|
|
|
|
|
| |
Changes:
- One (1) modified
- Eight (8) added
- One (1) expired, now untrusted
MFC after: 3 days
|
| |
|
|
| |
No functional change intended.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
- Six (6) new roots
- Four (4) distrusted roots
Note that this was intentionally generated with OpenSSL 1.1.1 to avoid
mixing updates and non-functional changes -- there will be some churn
with OpenSSL 3. The next commit will update the current batch of
trusted certs with the format OpenSSL 3 produces, which I've tested
against OpenSSL 1.1.1 to be sure that that doesn't hurt us in older
branches.
|
| |
|
|
|
| |
An update is imminent; drop these now to make it easier to audit the
results.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With this change, we'll drop the "with $FreeBSD$" lines from trusted/
certs in the next update. untrusted/ will need to be done manually, but
I'll likely just do them all manually, commit, then run the script and
commit any legitimate updates after confirming the output matches what
I did manually.
Reported by: imp
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D41597
|
| |
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| |
|
|
|
|
|
| |
Based on dates, these were likely just missed in the last update... add
them now.
- Twenty (20) new
|
| |
|
|
|
|
|
|
|
| |
Summary:
- Zero (0) newly trusted
- Five (5) modified
- Nine (9) distrusted
MFC after: 3 days
|
| | |
|
| |
|
|
|
| |
- Four (4) added
- Two (2) removed
|
| |
|
|
|
|
|
| |
Old certctl commands still work for compatability, but are deprecated.
Approved by: secteam (gordon)
Differential Revision: https://reviews.freebsd.org/D30807
|
| |
|
|
|
|
|
| |
This adds a specific note that these are explicitly trusted for
server auth.
MFC after: 3 days
|
| |
|
|
|
|
| |
- Fifteen (15) removed
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Our current processor was identified as trusting cert not explicitly
marked for SERVER_AUTH, as well as certs that were tagged with
DISTRUST_AFTER.
Update the script to handle both scenarios. This patch was originally
authored by mandree@ for ports, and it was subsequently ported to base
caroot.
MFC after: 3 days
|
| |
|
|
|
|
|
| |
- Three (3) added
- Two (2) removed
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary:
- One (1) added
- Ten (10) removed
MFC after: 3 days
Notes:
svn path=/head/; revision=368555
|
| |
|
|
|
|
|
|
|
|
|
| |
Count:
- Two (2) removed
- Three (3) added
MFC after: 3 days
Notes:
svn path=/head/; revision=365896
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The proper procedure was not followed in r364943; all of these that were
deleted should have instead been moved over to the blacklist so that certctl
can DTRT.
Users must still `certctl rehash` after this, but this should generally be
done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note
that freebsd-update doesn't come into play for this particular update, as
these have not yet made it into a release.
Future work (after svn -> git) will likely change the script that updatecert
invokes to facilitate the process, rather than trusting that kevans or
whomever updates in the future will remember.
Reported by: Helge Oldach <freebsd oldach net>
MFC after: 3 days
Notes:
svn path=/head/; revision=365248
|
| |
|
|
|
|
|
|
|
|
|
| |
Stats:
- Seven (7) removed
- Four (4) added
MFC after: 3 days
Notes:
svn path=/head/; revision=364943
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This solves an issue on stable/12 that causes certs to not get installed.
ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up
blank and nothing gets installed. We don't really require anything
ls-specific, though, so let's just simplify it.
MFC after: 3 days
Notes:
svn path=/head/; revision=364600
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original intention for caroot was to be packaged separately, perhaps so
that users can have a more/less conservative upgrade policy for this
separated from the rest of base.
secure/caroot/Makefile doesn't have anything interesting to package, but its
subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted
and trusted get packaged consistently into the correct one rather than the
default -utilities. Also tag the directories for package=caroot, as they
could also be empty; blacklisted is empty by default, but trusted is not.
Add a post-install script to do certctl rehash, along with a note should we
eventually come up with a way to detect that files have been added or
removed that requires a rehash.
-caroot gets a dependency on -utilities, as that's where we provide certctl
at the moment. We can perhaps reconsider this and put certctl into this
package in the future, but there are some bits within -utilities that
unconditionally invoke certctl so let's hold off for now.
Reviewed by: manu (earlier version, before -utilities dep added)
Differential Revision: https://reviews.freebsd.org/D23352
Notes:
svn path=/head/; revision=357264
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This kind of automagica got picked up in trusted/ prior to the initial
commit, but never got applied over in blacklisted. Ideally no one will be
using blacklisted/ to store arbitrary certs that they don't intend to
blacklist, so we should just install anything that's in here rather than
force consumer to first copy cert into place and then modify the file
listing in the Makefile.
Wise man once say: "it is better to restrict too much, than not enough.
sometimes."
Notes:
svn path=/head/; revision=357193
|
| |
|
|
|
|
|
|
|
|
| |
This directory stages certdata into .OBJDIR and processes it, but does not
actually build a prog-shaped object; bsd.obj.mk provides the minimal support
that we actually need, an .OBJDIR and descent into subdirs. This is
admittedly the nittiest of nits.
Notes:
svn path=/head/; revision=357084
|
| |
|
|
|
|
|
|
| |
Added:
- Entrust Root Certification Authority - G4
Notes:
svn path=/head/; revision=355376
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Interested users can blacklist any/all of these with certctl(8), examples:
- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
certctl rehash
Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs
No objection from: secteam
Relnotes: Definite maybe
Notes:
svn path=/head/; revision=353095
|
| |
|
|
|
|
|
|
|
| |
As is the current trend; while these files are manually curated, they are
still generated. If they end up in a review, it would be helpful to also
take the hint and hide them.
Notes:
svn path=/head/; revision=352951
|
|
|
This setup will add the trusted certificates from the Mozilla NSS bundle
to base.
This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions
A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.
This work was done primarily by allanjude@, with minor contributions by
myself.
No objection from: secteam
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D16856
Notes:
svn path=/head/; revision=352948
|
