FreeBSD Bugzilla – Attachment 245226 Details for
Bug 256902
libfetch breaks usage of certctl(8) managed store when security/ca_root_nss is installed
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Git-formatted patch (main)
main-0001-libfetch-don-t-rely-on-ca_root_nss-for-certificate-v.patch (text/plain), 1.87 KB, created by
Michael Osipov
on 2023-09-25 19:04:52 UTC
(
hide
)
Description:
Git-formatted patch (main)
Filename:
MIME Type:
Creator:
Michael Osipov
Created:
2023-09-25 19:04:52 UTC
Size:
1.87 KB
patch
obsolete
>From 49358eea3f4a9d3432784851f1e619e14b04a851 Mon Sep 17 00:00:00 2001 >From: Michael Osipov <michael.osipov@siemens.com> >Date: Mon, 25 Sep 2023 14:40:12 +0200 >Subject: [PATCH] libfetch: don't rely on ca_root_nss for certificate > validation > >Before caroot and certctl(8) there was no system truststore and libfetch used >the CA certificate bundle from ca_root_nss to verify peers, but with the >emerge of caroot this is not necessary anymore and we can rely on >OpenSSL using its default system truststore generated by certctl(8). > >Worse than that, it causes issues when: >* you need to explicitly block a CA certificate, >* need to add custom enterprise CA certificates, >* supply certificate revocation files, > >but you cannot do any of that. > >Now, unless explicitly overridden libfetch will request OpenSSL to use the >default system truststore. >--- > lib/libfetch/common.c | 8 -------- > 1 file changed, 8 deletions(-) > >diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c >index fd2091791620..dfa742577585 100644 >--- a/lib/libfetch/common.c >+++ b/lib/libfetch/common.c >@@ -1055,8 +1055,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) > /* > * Configure peer verification based on environment. > */ >-#define LOCAL_CERT_FILE _PATH_LOCALBASE "/etc/ssl/cert.pem" >-#define BASE_CERT_FILE "/etc/ssl/cert.pem" > static int > fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) > { >@@ -1066,12 +1064,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) > > if (getenv("SSL_NO_VERIFY_PEER") == NULL) { > ca_cert_file = getenv("SSL_CA_CERT_FILE"); >- if (ca_cert_file == NULL && >- access(LOCAL_CERT_FILE, R_OK) == 0) >- ca_cert_file = LOCAL_CERT_FILE; >- if (ca_cert_file == NULL && >- access(BASE_CERT_FILE, R_OK) == 0) >- ca_cert_file = BASE_CERT_FILE; > ca_cert_path = getenv("SSL_CA_CERT_PATH"); > if (verbose) { > fetch_info("Peer verification enabled"); >-- >2.41.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=245226">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 256902
: 245226 |
245227
|
245228
|
245229