FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=stable%2F13 2026-04-30T15:03:24Z 2026-04-30T15:03:24Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-27T09:32:51Z urn:sha1:47f819c5727596debeeea5aeba7a1c3b5418144f Regenerate using certificate data from NSS 3.123.1. MFC after: 1 week Reviewed by: kevans (cherry picked from commit 07b52233e8b74c5ac884b9c9a894f57fad8dbd00) 2026-04-30T15:03:23Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-27T09:32:19Z urn:sha1:7c8cafd77171e0792e8c115602ac645c2bdb3def * Get certdata.txt directly from the NSS Mercurial repository, rather than from the Mozilla Firefox repository which imports it from NSS at irregular intervals. * Instead of always fetching the latest certdata.txt, fetch a specific version. For this commit, we set this to the version that was last imported in May 2025. * Add a refrence to the MPL to the generated files. * Regenerate with latest OpenSSL. This is purely cosmetic; mostly, the certificate names now contain less unnecessary whitespace and some elements are quoted. MFC after: 1 week Reviewed by: michaelo, kevans Differential Revision: https://reviews.freebsd.org/D56620 (cherry picked from commit ce33d6396aadb0613f1e74661bdbec571f836a60) 2026-04-30T15:03:23Z Dag-Erling Smørgrav des@FreeBSD.org 2025-08-25T21:41:52Z urn:sha1:1c928d934875b91925cde661889e6f98face08de MFC after: 1 week Reviewed by: mandree, markj Differential Revision: https://reviews.freebsd.org/D51775 (cherry picked from commit 0886019bf853bd30b70aa4b8cdb059830ca6aaad) 2026-04-30T15:03:22Z Dag-Erling Smørgrav des@FreeBSD.org 2025-08-25T21:41:36Z urn:sha1:8547b32728ea27ca1b2fed2d37de6546deea3999 Until now, the untrusted directory has been maintained manually. Modify the script used to maintain the trusted directory so it can handle both. While here, clean it up a bit. MFC after: 1 week Reviewed by: mandree, markj Differential Revision: https://reviews.freebsd.org/D51774 (cherry picked from commit b88b0bb784c7fdcfb8174806e822c1f8983c223f) 2025-06-04T19:32:53Z Michael Osipov michaelo@FreeBSD.org 2025-05-28T15:02:54Z urn:sha1:cda1b2b634ce39269f4e0e0b9856c205034ec2ab Mozilla has migrated its projects' source code to GitHub, update certdata URL along with it. Reference: https://github.com/curl/curl/pull/17321 Reviewed by: jrm (mentor), otis (mentor), kevans MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D50575 (cherry picked from commit 87c46facc3cf1744c30ecc9f63c10a778a1af104) 2025-03-20T11:32:44Z Michael Osipov michaelo@FreeBSD.org 2025-03-07T18:58:55Z urn:sha1:f89c056e118438759d3aa5b8475c075dcad9299e Summary: - Seven (7) new roots - Four (4) distrusted roots - Fourteen (14) removed (expired) roots Reviewed by: kevans MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49294 (cherry picked from commit 0100da4deb96e15acf72d7655127c6faafa4148f) 2025-03-15T13:56:16Z Michael Osipov michaelo@FreeBSD.org 2025-02-20T09:48:48Z urn:sha1:d3e5558d31688688684533e3fc575bc65d5e4b84 Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that a CA certificate will be distrusted in the future before its NotAfter time. This means that the CA stops issuing new certificates, but previous ones are still valid, but at most for 398 days after the distrust date. See also: * https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 * https://github.com/Lukasa/mkcert/issues/19 * https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16 * https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c Tested by: michaelo Reviewed by: emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49075 (cherry picked from commit 457c03b397c80d44da92684d417a58b3ca1fed02) 2025-02-20T17:56:23Z Ed Maste emaste@FreeBSD.org 2025-02-19T19:08:59Z urn:sha1:6e688e6d4f9305441adce78079beaf1030e2881b Highlights from the release notes are reproduced below. Bug fixes and improvements that were previously merged into FreeBSD have been elided. See the upstream release notes for full details of the 9.9p1 release (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters. New features ------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. Bugfixes -------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505 --- Reviewed by: jlduran (build infrastructure) Reviewed by: cy (build infrastructure) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48947 (cherry picked from commit 3d9fd9fcb432750f3716b28f6ccb0104cd9d351a) Approved by: re (accelerated MFC) (cherry picked from commit 802386cd37f638eec9606cb10d3dd03c8f1d6c17) 2025-02-20T17:56:23Z Ed Maste emaste@FreeBSD.org 2025-02-19T17:20:44Z urn:sha1:c845ae475579d9b38cd1e3061f3896b44d1cb172 Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC) (cherry picked from commit ff2fd01609cc10bcdc87ebe4de42efaf7ffe2ee9) 2025-02-20T13:21:02Z Ed Maste emaste@FreeBSD.org 2025-02-06T19:21:12Z urn:sha1:63d3c245221d79f16b59771e84467bdd1abf11dd It is used only by scp and sftp, and already included directly in their Makefiles. It does not belong in libssh. Fixes: d8b043c8d497 ("Update for 3.6.1p1; also remove Kerberos IV shims.") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48871 (cherry picked from commit c0af32952564099fe30a34aeb335f95a6dc811ba) (cherry picked from commit 8a02eb2c1e4f3847fccf3eb1e7ff914871e35be4)