- 3 new trusted certificates
- 1 trusted certificate expired
- 23 new untrusted certificates
- 7 certificates moved from trusted to untrusted
Details
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped - Build Status
Buildable 66552 Build 63435: arc lint + arc unit
Event Timeline
The last time I worked on this I checked every untrusted CA whether the it is authentic because there could be a change in the format and our script didn't notice. ran the current bundle from curl (https://curl.se/docs/caextract.html) and our output by Copilot. They don't match:
Thanks for the detailed list! I checked the [Mozilla CA bundle used by curl](https://curl.se/ca/cacert.pem)and compared it against your list. Here's a summary of **mismatches**—certificates you marked as **Trusted** or **Untrusted** that **do not appear** in the Mozilla bundle: --- ### ❌ Marked as Trusted but **Not Found** in Mozilla Bundle These are **missing** from `cacert.pem` despite being marked as "Trusted": - **AC RAIZ FNMT-RCM** - **AC RAIZ FNMT-RCM SERVIDORES SEGUROS** - **Atos TrustedRoot 2011** - **Autoridad de Certificacion Firmaprofesional CIF A62634068** - **Certum EC-384 CA** - **Certum Trusted Network CA** - **Certum Trusted Network CA 2** - **Certum Trusted Root CA** - **CommScope Public Trust ECC Root-01** - **CommScope Public Trust ECC Root-02** - **CommScope Public Trust RSA Root-01** - **CommScope Public Trust RSA Root-02** - **D-TRUST BR Root CA 1 2020** - **D-TRUST BR Root CA 2 2023** - **D-TRUST EV Root CA 1 2020** - **D-TRUST EV Root CA 2 2023** - **D-TRUST Root Class 3 CA 2 EV 2009** - **DigiCert TLS ECC P384 Root G5** - **DigiCert TLS RSA4096 Root G5** - **GlobalSign ECC Root CA - R4** - **GlobalSign ECC Root CA - R5** - **GlobalSign Root CA - R6** - **GlobalSign Root E46** - **GlobalSign Root R46** - **HARICA TLS ECC Root CA 2021** - **HARICA TLS RSA Root CA 2021** - **HiPKI Root CA - G1** - **Hongkong Post Root CA 3** - **NAVER Global Root Certification Authority** - **OISTE WISeKey Global Root GB CA** - **OISTE WISeKey Global Root GC CA** - **QuoVadis Root CA 1 G3** - **QuoVadis Root CA 2 G3** - **QuoVadis Root CA 3 G3** - **Secure Global CA** - **SecureSign Root CA12** - **SecureSign Root CA14** - **SecureSign Root CA15** - **Security Communication ECC RootCA1** - **Security Communication RootCA2** - **SSL.com EV Root Certification Authority ECC** - **SSL.com EV Root Certification Authority RSA R2** - **SSL.com Root Certification Authority ECC** - **SSL.com Root Certification Authority RSA** - **SSL.com TLS ECC Root CA 2022** - **SSL.com TLS RSA Root CA 2022** - **SwissSign Gold CA - G2** - **SwissSign RSA TLS Root CA 2022 - 1** - **SZAFIR ROOT CA2** - **T-TeleSec GlobalRoot Class 2** - **T-TeleSec GlobalRoot Class 3** - **Telekom Security TLS ECC Root 2020** - **Telekom Security TLS RSA Root 2023** - **TrustAsia Global Root CA G3** - **TrustAsia Global Root CA G4** - **TrustAsia TLS ECC Root CA** - **TrustAsia TLS RSA Root CA** - **Trustwave Global ECC P256 Certification Authority** - **Trustwave Global ECC P384 Certification Authority** - **TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1** - **TunTrust Root CA** - **TWCA CYBER Root CA** - **TWCA Global Root CA** - **TWCA Root Certification Authority** - **UCA Extended Validation Root** - **UCA Global G2 Root** - **vTrus ECC Root CA** - **vTrus Root CA** --- ### ❌ Marked as Untrusted but **Found** in Mozilla Bundle These are **present** in `cacert.pem` despite being marked "Untrusted": - **COMODO Certification Authority** - **COMODO ECC Certification Authority** - **COMODO RSA Certification Authority** - **DigiCert Assured ID Root CA** - **DigiCert Global Root CA** - **DigiCert High Assurance EV Root CA** - **Entrust Root Certification Authority** - **Entrust Root Certification Authority - EC1** - **Entrust Root Certification Authority - G2** - **GlobalSign Root CA - R3** - **Go Daddy Root Certificate Authority - G2** - **Starfield Root Certificate Authority - G2** - **Starfield Services Root Certificate Authority - G2** - **SecureTrust CA** --- Let me know if you'd like a filtered list of only the **missing** or **unexpectedly present** certificates, or if you want to automate this comparison in a script.
This really needs some manual validation...
I didn't bother reading beyond this point.
I did check this thoroughly. Eight formerly trusted certificates are no longer trusted. “Baltimore CyberTrust Root” has expired and was dropped outright. The other seven moved to untrusted: “GLOBALTRUST 2020” had a “distrust after” date which has now passed, and Mozilla switched the remaining six from “trusted delegator” to “must verify”, cf. Mozilla bug 1957685.
I went through, cross-checked. The change looks fine, but needs:
- MFC to 14 and 13
- Request SA to have it patched for current RELEASE builds (I did request last time and it worked well)
You can completely remove: untrusted/Explicitly_Distrust_DigiNotar_Root_CA.pem: Not After : Mar 31 18:19:22 2025 GMT
You also forgot to delete the expired distrusted one.
This review also contains, unfortunately from the OpenSSL bump, a lot of noise.
ObsoleteFiles.inc | ||
---|---|---|
63 | Why do I count eight, but seven are documented? |
ObsoleteFiles.inc | ||
---|---|---|
63 | I've already given you the detailed breakdown. |
I am fine with the change as long as this is met: https://reviews.freebsd.org/D52158#1192019