Bug 260723 - security/gnutls uses only security/ca_root_nss as certificate store
Summary: security/gnutls uses only security/ca_root_nss as certificate store
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Tijl Coosemans
URL:
Keywords:
Depends on: 263154
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-27 07:34 UTC by ml
Modified: 2022-04-13 12:57 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (tijl)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ml 2021-12-27 07:34:41 UTC 

    


    


      



        
          Comment 1
        

        
          ml

        

        
        

        
          2021-12-27 07:39:01 UTC
        

      






(Sorry I hit Enter too early)

In case it's compiled without P11KIT and TPM options, security/ca_root_nss is configured with:
--with-default-trust-store-file=${LOCALBASE}/share/certs/ca-root-nss.crt

This means not all the certificates on the system are considered, but only those provided by security/ca_root_nss (which, BTW, I heard is going away).

Simply replacing the above line with:
--with-default-trust-store-dir=/etc/ssl/certs
makes this port use the same certificates openssl (i.e. the base system) uses.

Perhaps this should be made into an option?

    


    


      



        
          Comment 2
        

        
          commit-hook

        

        
            freebsd_committer
            freebsd_triage
        

        
          2022-04-13 12:13:31 UTC
        

      






A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a67a3f98ec28b607845ab6a33b2d2c5504f5b137

commit a67a3f98ec28b607845ab6a33b2d2c5504f5b137
Author:     Tijl Coosemans <tijl@FreeBSD.org>
AuthorDate: 2022-03-24 22:49:24 +0000
Commit:     Tijl Coosemans <tijl@FreeBSD.org>
CommitDate: 2022-04-13 12:11:59 +0000

    security/gnutls: update to 3.7.4

    Switch from security/ca_root_nss to base system certificate store.
    Disable obsolete TPM 1.2 support.

    PR:             257995, 260723, 263107, 263131
    Exp-run by:     antoine

 security/gnutls/Makefile                           | 30 +++++++---------
 security/gnutls/distinfo                           |  6 ++--
 .../files/patch-tests_cert-tests_pkcs12.sh (new)   | 14 ++++++++
 security/gnutls/pkg-plist                          | 40 +++++++++++++++++++---
 4 files changed, 66 insertions(+), 24 deletions(-)