!102 [sync] PR-98: remove cert expired at 20250512

From: @openeuler-sync-bot 
Reviewed-by: @renmingshuai 
Signed-off-by: @renmingshuai

add-secure-compile-option-in-Makefile.patch

@@ -8,9 +8,9 @@ diff -urN grpc/CMakeLists.txt grpc_new/CMakeLists.txt
  endif()
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${_gRPC_C_CXX_FLAGS}")
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${_gRPC_C_CXX_FLAGS}")
-+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-z,now -fPIE -fPIC")
-+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,now -fstack-protector-strong")
-+set(_gRPC_ALLTARGETS_LIBRARYIES "${_gRPC_ALLTARGETS_LIBRARYIES} -Wl,-z,now -pie") 
++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2")
++set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2")
++set(_gRPC_ALLTARGETS_LIBRARYIES "${_gRPC_ALLTARGETS_LIBRARYIES} -Wl,-z,relro -Wl,-z,now -pie") 
  
  if(gRPC_USE_PROTO_LITE)
    set(_gRPC_PROTOBUF_LIBRARY_NAME "libprotobuf-lite")
@@ -23,9 +23,9 @@ index 6ede6e34d2..d6190ecde4 100644
  DEFINES += $(EXTRA_DEFINES)
  LDLIBS += $(EXTRA_LDLIBS)
 
-+CFLAGS += -Wl,-z,now -fPIE -fPIC
-+CPPFLAGS += -Wl,-z,now -fstack-protector-strong
-+LDFLAGS += -Wl,-z,now -pie
++CFLAGS += -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2
++CPPFLAGS += -Wl,-z,relro -Wl,-z,now -fPIE -fPIC -fstack-protector-strong -Wp,-D_FORTIFY_SOURCE=2 -O2
++LDFLAGS += -Wl,-z,relro -Wl,-z,now -pie
 +
  HOST_CPPFLAGS += $(CPPFLAGS)
  HOST_CFLAGS += $(CFLAGS)

backport-Ignore-Connection-Aborted-errors-on-accept-29318.patch

@@ -0,0 +1,58 @@
+From 5850cba2957cc894477e735a74aa6c246b499ff4 Mon Sep 17 00:00:00 2001
+From: Yash Tibrewal <yashkt@google.com>
+Date: Mon, 11 Apr 2022 15:49:18 -0700
+Subject: [PATCH] Ignore Connection Aborted errors on accept (#29318)
+
+* Ignore Connection Aborted errors on accept
+
+* Reviewer comments
+---
+ src/core/lib/iomgr/tcp_server_posix.cc | 32 +++++++++++++-------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc
+index c40ddbf646..f02bb8396a 100644
+--- a/src/core/lib/iomgr/tcp_server_posix.cc
++++ b/src/core/lib/iomgr/tcp_server_posix.cc
+@@ -204,22 +204,22 @@ static void on_read(void* arg, grpc_error_handle err) {
+        strip off the ::ffff:0.0.0.0/96 prefix first. */
+     int fd = grpc_accept4(sp->fd, &addr, 1, 1);
+     if (fd < 0) {
+-      switch (errno) {
+-        case EINTR:
+-          continue;
+-        case EAGAIN:
+-          grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+-          return;
+-        default:
+-          gpr_mu_lock(&sp->server->mu);
+-          if (!sp->server->shutdown_listeners) {
+-            gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
+-          } else {
+-            /* if we have shutdown listeners, accept4 could fail, and we
+-               needn't notify users */
+-          }
+-          gpr_mu_unlock(&sp->server->mu);
+-          goto error;
++      if (errno == EINTR) {
++        continue;
++      } else if (errno == EAGAIN || errno == ECONNABORTED ||
++                 errno == EWOULDBLOCK) {
++        grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
++        return;
++      } else {
++        gpr_mu_lock(&sp->server->mu);
++        if (!sp->server->shutdown_listeners) {
++          gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
++        } else {
++          /* if we have shutdown listeners, accept4 could fail, and we
++             needn't notify users */
++        }
++        gpr_mu_unlock(&sp->server->mu);
++        goto error;
+       }
+     }
+ 
+-- 
+2.33.0
+

backport-iomgr-EventEngine-Improve-server-handling-o.patch

@@ -0,0 +1,192 @@
+From 1e86ca5834b94cae7d5e6d219056c0fc895cf95d Mon Sep 17 00:00:00 2001
+From: AJ Heller <hork@google.com>
+Date: Wed, 12 Jul 2023 18:42:09 -0700
+Subject: [PATCH] [backport][iomgr][EventEngine] Improve server handling of
+ file descriptor exhaustion (#33672)
+
+Backport of #33656
+---
+ src/core/lib/iomgr/tcp_server_posix.cc        | 46 ++++++++++++++-----
+ src/core/lib/iomgr/tcp_server_utils_posix.h   | 13 +++++
+ .../iomgr/tcp_server_utils_posix_common.cc    | 21 ++++++++
+ 3 files changed, 67 insertions(+), 13 deletions(-)
+
+diff --git a/src/core/lib/iomgr/tcp_server_posix.cc b/src/core/lib/iomgr/tcp_server_posix.cc
+index a1db16d916..6804928fe3 100644
+--- a/src/core/lib/iomgr/tcp_server_posix.cc
++++ b/src/core/lib/iomgr/tcp_server_posix.cc
+@@ -16,13 +16,17 @@
+  *
+  */
+ 
++#include <grpc/support/port_platform.h>
++
++#include <utility>
++
++#include <grpc/support/atm.h>
++
+ /* FIXME: "posix" files shouldn't be depending on _GNU_SOURCE */
+ #ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+ #endif
+ 
+-#include <grpc/support/port_platform.h>
+-
+ #include "src/core/lib/iomgr/port.h"
+ 
+ #ifdef GRPC_POSIX_SOCKET_TCP_SERVER
+@@ -45,6 +49,7 @@
+ #include "absl/strings/str_cat.h"
+ #include "absl/strings/str_format.h"
+ 
++#include <grpc/event_engine/event_engine.h>
+ #include <grpc/support/alloc.h>
+ #include <grpc/support/log.h>
+ #include <grpc/support/sync.h>
+@@ -350,21 +357,35 @@ static void on_read(void* arg, grpc_error_handle err) {
+     if (fd < 0) {
+       if (errno == EINTR) {
+         continue;
+-      } else if (errno == EAGAIN || errno == ECONNABORTED ||
+-                 errno == EWOULDBLOCK) {
++      }
++      // When the process runs out of fds, accept4() returns EMFILE. When this
++      // happens, the connection is left in the accept queue until either a
++      // read event triggers the on_read callback, or time has passed and the
++      // accept should be re-tried regardless. This callback is not cancelled,
++      // so a spurious wakeup may occur even when there's nothing to accept.
++      // This is not a performant code path, but if an fd limit has been
++      // reached, the system is likely in an unhappy state regardless.
++      if (errno == EMFILE) {
++        grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
++        if (gpr_atm_full_xchg(&sp->retry_timer_armed, true)) return;
++        grpc_timer_init(&sp->retry_timer,
++                        grpc_core::ExecCtx::Get()->Now() + 1 * GPR_MS_PER_SEC,
++                        &sp->retry_closure);
++        return;
++      }
++      if (errno == EAGAIN || errno == ECONNABORTED || errno == EWOULDBLOCK) {
+         grpc_fd_notify_on_read(sp->emfd, &sp->read_closure);
+         return;
++      }
++      gpr_mu_lock(&sp->server->mu);
++      if (!sp->server->shutdown_listeners) {
++        gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
+       } else {
+-        gpr_mu_lock(&sp->server->mu);
+-        if (!sp->server->shutdown_listeners) {
+-          gpr_log(GPR_ERROR, "Failed accept4: %s", strerror(errno));
+-        } else {
+-          /* if we have shutdown listeners, accept4 could fail, and we
+-             needn't notify users */
+-        }
+-        gpr_mu_unlock(&sp->server->mu);
+-        goto error;
++        // if we have shutdown listeners, accept4 could fail, and we
++        // needn't notify users
+       }
++      gpr_mu_unlock(&sp->server->mu);
++      goto error;
+     }
+ 
+     /* For UNIX sockets, the accept call might not fill up the member sun_path
+@@ -558,6 +581,7 @@ static grpc_error_handle clone_port(grpc_tcp_listener* listener,
+     sp->port_index = listener->port_index;
+     sp->fd_index = listener->fd_index + count - i;
+     GPR_ASSERT(sp->emfd);
++    grpc_tcp_server_listener_initialize_retry_timer(sp);
+     while (listener->server->tail->next != nullptr) {
+       listener->server->tail = listener->server->tail->next;
+     }
+@@ -791,6 +815,7 @@ static void tcp_server_shutdown_listeners(grpc_tcp_server* s) {
+   if (s->active_ports) {
+     grpc_tcp_listener* sp;
+     for (sp = s->head; sp; sp = sp->next) {
++      grpc_timer_cancel(&sp->retry_timer);
+       grpc_fd_shutdown(sp->emfd,
+                        GRPC_ERROR_CREATE_FROM_STATIC_STRING("Server shutdown"));
+     }
+diff --git a/src/core/lib/iomgr/tcp_server_utils_posix.h b/src/core/lib/iomgr/tcp_server_utils_posix.h
+index 26cef0209f..de5a888cff 100644
+--- a/src/core/lib/iomgr/tcp_server_utils_posix.h
++++ b/src/core/lib/iomgr/tcp_server_utils_posix.h
+@@ -30,6 +30,7 @@
+ #include "src/core/lib/iomgr/resolve_address.h"
+ #include "src/core/lib/iomgr/socket_utils_posix.h"
+ #include "src/core/lib/iomgr/tcp_server.h"
++#include "src/core/lib/iomgr/timer.h"
+ 
+ /* one listening port */
+ typedef struct grpc_tcp_listener {
+@@ -52,6 +53,11 @@ typedef struct grpc_tcp_listener {
+      identified while iterating through 'next'. */
+   struct grpc_tcp_listener* sibling;
+   int is_sibling;
++  // If an accept4() call fails, a timer is started to drain the accept queue in
++  // case no further connection attempts reach the gRPC server.
++  grpc_closure retry_closure;
++  grpc_timer retry_timer;
++  gpr_atm retry_timer_armed;
+ } grpc_tcp_listener;
+ 
+ /* the overall server */
+@@ -139,4 +145,10 @@ grpc_error_handle grpc_tcp_server_prepare_socket(
+ /* Ruturn true if the platform supports ifaddrs */
+ bool grpc_tcp_server_have_ifaddrs(void);
+ 
++// Initialize (but don't start) the timer and callback to retry accept4() on a
++// listening socket after file descriptors have been exhausted. This must be
++// called when creating a new listener.
++void grpc_tcp_server_listener_initialize_retry_timer(
++    grpc_tcp_listener* listener);
++
+ #endif /* GRPC_CORE_LIB_IOMGR_TCP_SERVER_UTILS_POSIX_H */
+diff --git a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
+index 574fd02d0d..a32f542c4a 100644
+--- a/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
++++ b/src/core/lib/iomgr/tcp_server_utils_posix_common.cc
+@@ -18,6 +18,8 @@
+ 
+ #include <grpc/support/port_platform.h>
+ 
++#include <grpc/support/atm.h>
++
+ #include "src/core/lib/iomgr/port.h"
+ 
+ #ifdef GRPC_POSIX_SOCKET_TCP_SERVER_UTILS_COMMON
+@@ -81,6 +83,24 @@ static int get_max_accept_queue_size(void) {
+   return s_max_accept_queue_size;
+ }
+ 
++static void listener_retry_timer_cb(void* arg, grpc_error_handle err) {
++  // Do nothing if cancelled.
++  if (err != GRPC_ERROR_NONE) return;
++  grpc_tcp_listener* listener = static_cast<grpc_tcp_listener*>(arg);
++  gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
++  if (!grpc_fd_is_shutdown(listener->emfd)) {
++    grpc_fd_set_readable(listener->emfd);
++  }
++}
++
++void grpc_tcp_server_listener_initialize_retry_timer(
++    grpc_tcp_listener* listener) {
++  gpr_atm_no_barrier_store(&listener->retry_timer_armed, false);
++  grpc_timer_init_unset(&listener->retry_timer);
++  GRPC_CLOSURE_INIT(&listener->retry_closure, listener_retry_timer_cb, listener,
++                    grpc_schedule_on_exec_ctx);
++}
++
+ static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
+                                               const grpc_resolved_address* addr,
+                                               unsigned port_index,
+@@ -112,6 +132,7 @@ static grpc_error_handle add_socket_to_server(grpc_tcp_server* s, int fd,
+     sp->server = s;
+     sp->fd = fd;
+     sp->emfd = grpc_fd_create(fd, name.c_str(), true);
++    grpc_tcp_server_listener_initialize_retry_timer(sp);
+     memcpy(&sp->addr, addr, sizeof(grpc_resolved_address));
+     sp->port = port;
+     sp->port_index = port_index;
+-- 
+2.33.0
+

fix-CVE-2023-33953-add-header-limit.patch

@@ -0,0 +1,37 @@
+From 5fe782778f535ae68508fb7979df1cbfbdf4d6de Mon Sep 17 00:00:00 2001
+From: sunsuwan <sunsuwan3@huawei.com>
+Date: Mon, 4 Sep 2023 21:45:49 +0800
+Subject: [PATCH] CVE-2023-33953 add header limit
+
+Signed-off-by: zhouyihang <zhouyihang3@h-partners.com>
+Signed-off-by: sunsuwan <sunsuwan3@huawei.com>
+---
+ .../ext/transport/chttp2/transport/hpack_parser.cc   | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.cc b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+index 09681fa..6b191a7 100644
+--- a/src/core/ext/transport/chttp2/transport/hpack_parser.cc
++++ b/src/core/ext/transport/chttp2/transport/hpack_parser.cc
+@@ -1372,6 +1372,18 @@ grpc_error_handle grpc_chttp2_header_parser_parse(void* hpack_parser,
+   auto* parser = static_cast<grpc_core::HPackParser*>(hpack_parser);
+   if (s != nullptr) {
+     s->stats.incoming.header_bytes += GRPC_SLICE_LENGTH(slice);
++    if (s->stats.incoming.header_bytes > t->settings[GRPC_ACKED_SETTINGS]
++                                                    [GRPC_CHTTP2_SETTINGS_MAX_HEADER_LIST_SIZE]) {
++      grpc_chttp2_cancel_stream(
++      t, s,
++      grpc_error_set_int(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
++                             "received header size exceeds limit"),
++                         GRPC_ERROR_INT_GRPC_STATUS,
++                         GRPC_STATUS_RESOURCE_EXHAUSTED));
++      grpc_chttp2_parsing_become_skip_parser(t);
++      s->seen_error = true;
++      return GRPC_ERROR_NONE;
++    }
+   }
+   grpc_error_handle error = parser->Parse(slice, is_last != 0);
+   if (error != GRPC_ERROR_NONE) {
+-- 
+2.33.0
+

grpc.spec

@@ -3,7 +3,7 @@
 
 Name:          grpc
 Version:       1.41.1
-Release:       3
+Release:       8
 Summary:       A modern, open source high performance RPC framework that can run in any environment
 License:       ASL 2.0
 URL:           https://www.grpc.io
@@ -12,6 +12,11 @@ Source0:       https://github.com/grpc/grpc/archive/v%{version}/%{name}-%{versio
 Patch0006:     repair-pkgconfig-path.patch
 Patch0007:     add-secure-compile-option-in-Makefile.patch
 Patch0010:     backport-grpc-1.41.1-python-grpcio-use-system-abseil.patch
+Patch0011:     backport-Ignore-Connection-Aborted-errors-on-accept-29318.patch
+Patch0012:     backport-iomgr-EventEngine-Improve-server-handling-o.patch
+Patch0013:     fix-CVE-2023-33953-add-header-limit.patch
+Patch0014:     remove-cert-expired-on-20230930.patch
+Patch0015:     remove-cert-expired-at-20250512.patch
 
 BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler
 BuildRequires: openssl-devel c-ares-devel gtest-devel zlib-devel gperftools-devel
@@ -76,7 +81,8 @@ cmake ../../ -DgRPC_INSTALL=ON\
              -DgRPC_INSTALL_SHAREDIR=%{buildroot}%{_datadir}/%{name} \
              -DgRPC_INSTALL_PKGCONFIGDIR=%{buildroot}%{_libdir}/pkgconfig \
              -DCMAKE_INSTALL_PREFIX=%{_prefix} \
-             -DBUILD_SHARED_LIBS=ON
+             -DBUILD_SHARED_LIBS=ON \
+             -DCMAKE_VERBOSE_MAKEFILE=ON
 make -j24 V=1
 
 # build python module
@@ -137,6 +143,36 @@ cd ../..
 %{python3_sitearch}/grpcio-%{version}-py?.?.egg-info
 
 %changelog
+* Fri Jun 21 2024 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-8
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:remove cert expired at 20250512
+
+* Wed Nov 15 2023 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-7
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:remove cert expired on 20230930
+
+* Fri Sep 22 2023 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-6
+- Type:CVE
+- ID:CVE-2023-33953
+- SUG:NA
+- DESC:fix CVE-2023-33953
+
+* Wed Sep 20 2023 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-5
+- Type:CVE
+- ID:CVE-2023-4785
+- SUG:NA
+- DESC:fix CVE-2023-4785
+
+* Thu Oct 20 2022 zhouyihang<zhouyihang3@h-partners.com> - 1.41.1-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: add some secure compilation options
+
 * Sat Apr 16 2022 xingwei<xingwei14@h-partners.com> - 1.41.1-3
 - Type:enhancement
 - ID:NA

remove-cert-expired-at-20250512.patch

@@ -0,0 +1,51 @@
+From 15327a17f80de1251e84d38dda045bbfd7061125 Mon Sep 17 00:00:00 2001
+From: renmingshuai <renmingshuai@huawei.com>
+Date: Tue, 28 May 2024 20:59:35 +0800
+Subject: [PATCH] huawei-remove-cert-expired-at-20250512
+
+---
+ etc/roots.pem | 29 -----------------------------
+ 1 file changed, 29 deletions(-)
+
+diff --git a/etc/roots.pem b/etc/roots.pem
+index c599727..d84a8f5 100644
+--- a/etc/roots.pem
++++ b/etc/roots.pem
+@@ -64,35 +64,6 @@ bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
+ fF6adulZkMV8gzURZVE=
+ -----END CERTIFICATE-----
+
+-# Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
+-# Subject: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
+-# Label: "Baltimore CyberTrust Root"
+-# Serial: 33554617
+-# MD5 Fingerprint: ac:b6:94:a5:9c:17:e0:d7:91:52:9b:b1:97:06:a6:e4
+-# SHA1 Fingerprint: d4:de:20:d0:5e:66:fc:53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74
+-# SHA256 Fingerprint: 16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb
+------BEGIN CERTIFICATE-----
+-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+------END CERTIFICATE-----
+-
+ # Issuer: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
+ # Subject: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
+ # Label: "Entrust Root Certification Authority"
+--
+2.33.0

remove-cert-expired-on-20230930.patch

@@ -0,0 +1,51 @@
+From 924b52b761bb3fae1f9a316e6a7989f3d3be8687 Mon Sep 17 00:00:00 2001
+From: sunsuwan <sunsuwan3@huawei.com>
+Date: Tue, 8 Aug 2023 15:27:04 +0800
+Subject: [PATCH] remove cert expired on 20230930
+
+---
+ etc/roots.pem | 28 ----------------------------
+ 1 file changed, 28 deletions(-)
+
+diff --git a/etc/roots.pem b/etc/roots.pem
+index bd5911a..c599727 100644
+--- a/etc/roots.pem
++++ b/etc/roots.pem
+@@ -248,34 +248,6 @@ mJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK
+ 4SVhM7JZG+Ju1zdXtg2pEto=
+ -----END CERTIFICATE-----
+ 
+-# Issuer: O=SECOM Trust.net OU=Security Communication RootCA1
+-# Subject: O=SECOM Trust.net OU=Security Communication RootCA1
+-# Label: "Security Communication Root CA"
+-# Serial: 0
+-# MD5 Fingerprint: f1:bc:63:6a:54:e0:b5:27:f5:cd:e7:1a:e3:4d:6e:4a
+-# SHA1 Fingerprint: 36:b1:2b:49:f9:81:9e:d7:4c:9e:bc:38:0f:c6:56:8f:5d:ac:b2:f7
+-# SHA256 Fingerprint: e7:5e:72:ed:9f:56:0e:ec:6e:b4:80:00:73:a4:3f:c3:ad:19:19:5a:39:22:82:01:78:95:97:4a:99:02:6b:6c
+------BEGIN CERTIFICATE-----
+-MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY
+-MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t
+-dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5
+-WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD
+-VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3
+-DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8
+-9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ
+-DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9
+-Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N
+-QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ
+-xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G
+-A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T
+-AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG
+-kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr
+-Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5
+-Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU
+-JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot
+-RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw==
+------END CERTIFICATE-----
+-
+ # Issuer: CN=XRamp Global Certification Authority O=XRamp Security Services Inc OU=www.xrampsecurity.com
+ # Subject: CN=XRamp Global Certification Authority O=XRamp Security Services Inc OU=www.xrampsecurity.com
+ # Label: "XRamp Global CA Root"
+-- 
+2.33.0
+