On 2021-11-07 at 16:29:30 UTC-0500 (Mon, 8 Nov 2021 08:29:30 +1100
(EST))
Dave Horsfall <[email protected]>
is rumored to have said:
On Sun, 7 Nov 2021, Bill Cole wrote:
I have my own Mojave machines working without a problem after
removing the bad certificate from /etc/ssl/cert.pem. The one that
starts like this:
[...]
Intrigued, I checked my own:
mackie:~ dave$ grep "Not After" /etc/ssl/cert.pem
[... many dates snipped ...]
So I wonder how widespread this problem is?
The problem in this case is not the existence of the cert in the CA
bundle, but the fact that this particular expired cert was used in an
alternative validation path and the logic of verification for multi-path
certs isn't correct. Normally, expired root CAs should stay in there
because that allows positive non-verification of certs supposedly issued
by an expired (and maybe compromised) root CA.
And I'm not happy with those that are set way in the future; I heard
somewhere that 5 years is the recommended max.
CAs are special. The current limit on server certs is 397 days. I don't
think there's a consensus on CA lifetimes because of the conflicting
risks of too-short and too-long lives.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
