At Mozilla they replied that they plan to fix this in December.
https://bugzilla.mozilla.org/show_bug.cgi?id=1733003 What could work as a temporary workaround is to patch the certdata.txt file $ pkg list ca-certificates NAME (PUBLISHER) VERSION IFO crypto/ca-certificates (userland) 3.71-2020.0.1.1 i-- This is a COMPONENT_REVISION=1 update to the 3.71 package with a patch patches/01-DST_Root_CA_X3.patch --- nss-3.71.orig/nss/lib/ckfw/builtins/certdata.txt Fri Oct 29 18:32:43 2021 +++ nss-3.71/nss/lib/ckfw/builtins/certdata.txt Fri Oct 29 18:33:34 2021 @@ -3113,136 +3113,6 @@ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "DST Root CA X3" -# where the DST Root CA X3 is removed from certdata.txt I am not sure whether this is all that is necessary, but it seems to work for me. The package builds fine and the 2 lines for DST Root CA X3 (file and link) are removed from the sample manifest and when updating the manifest to simply remove the DST Root CA X3 all seems fine. Because this is necessary to connect in Squeak Smalltalk to https://squeak.org it would be nice to get rid of the expired certificate. However on the other hand, this is not at all urgent , and it is easy to fix locally. So instead of patching OpenIndiana I think instead of a temporary workaround and patch, it is safest to wait for Mozilla NSS to be changed/updated, and then follow Mozilla NSS unpatched in December 2021. Regards, David Stes _______________________________________________ oi-dev mailing list [email protected] https://openindiana.org/mailman/listinfo/oi-dev
