FreeBSD Bugzilla – Attachment 245229 Details for
Bug 256902
libfetch breaks usage of certctl(8) managed store when security/ca_root_nss is installed
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Git-formatted patch (stable/12)
12-0001-libfetch-don-t-rely-on-ca_root_nss-for-certificate-v.patch (text/plain), 1.86 KB, created by
Michael Osipov
on 2023-09-25 19:05:54 UTC
(
hide
)
Description:
Git-formatted patch (stable/12)
Filename:
MIME Type:
Creator:
Michael Osipov
Created:
2023-09-25 19:05:54 UTC
Size:
1.86 KB
patch
obsolete
>From b627f0582129ec8237fc33db811be9ba0424daa9 Mon Sep 17 00:00:00 2001 >From: Michael Osipov <michael.osipov@siemens.com> >Date: Mon, 25 Sep 2023 14:40:12 +0200 >Subject: [PATCH] libfetch: don't rely on ca_root_nss for certificate > validation > >Before caroot and certctl(8) there was no system truststore and libfetch used >the CA certificate bundle from ca_root_nss to verify peers, but with the >emerge of caroot this is not necessary anymore and we can rely on >OpenSSL using its default system truststore generated by certctl(8). > >Worse than that, it causes issues when: >* you need to explicitly block a CA certificate, >* need to add custom enterprise CA certificates, >* supply certificate revocation files, > >but you cannot do any of that. > >Now, unless explicitly overridden libfetch will request OpenSSL to use the >default system truststore. >--- > lib/libfetch/common.c | 8 -------- > 1 file changed, 8 deletions(-) > >diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c >index 80a63123abdb..8b3b69ff3351 100644 >--- a/lib/libfetch/common.c >+++ b/lib/libfetch/common.c >@@ -786,8 +786,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) > /* > * Configure peer verification based on environment. > */ >-#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem" >-#define BASE_CERT_FILE "/etc/ssl/cert.pem" > static int > fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) > { >@@ -797,12 +795,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) > > if (getenv("SSL_NO_VERIFY_PEER") == NULL) { > ca_cert_file = getenv("SSL_CA_CERT_FILE"); >- if (ca_cert_file == NULL && >- access(LOCAL_CERT_FILE, R_OK) == 0) >- ca_cert_file = LOCAL_CERT_FILE; >- if (ca_cert_file == NULL && >- access(BASE_CERT_FILE, R_OK) == 0) >- ca_cert_file = BASE_CERT_FILE; > ca_cert_path = getenv("SSL_CA_CERT_PATH"); > if (verbose) { > fetch_info("Peer verification enabled"); >-- >2.41.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=245229">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 256902
:
245226
|
245227
|
245228
| 245229