From b627f0582129ec8237fc33db811be9ba0424daa9 Mon Sep 17 00:00:00 2001
From: Michael Osipov <michael.osipov@siemens.com>
Date: Mon, 25 Sep 2023 14:40:12 +0200
Subject: [PATCH] libfetch: don't rely on ca_root_nss for certificate
 validation

Before caroot and certctl(8) there was no system truststore and libfetch used
the CA certificate bundle from ca_root_nss to verify peers, but with the
emerge of caroot this is not necessary anymore and we can rely on
OpenSSL using its default system truststore generated by certctl(8).

Worse than that, it causes issues when:
* you need to explicitly block a CA certificate,
* need to add custom enterprise CA certificates,
* supply certificate revocation files,

but you cannot do any of that.

Now, unless explicitly overridden libfetch will request OpenSSL to use the
default system truststore.
---
 lib/libfetch/common.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index 80a63123abdb..8b3b69ff3351 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -786,8 +786,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
 /*
  * Configure peer verification based on environment.
  */
-#define LOCAL_CERT_FILE	"/usr/local/etc/ssl/cert.pem"
-#define BASE_CERT_FILE	"/etc/ssl/cert.pem"
 static int
 fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 {
@@ -797,12 +795,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 
 	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
 		ca_cert_file = getenv("SSL_CA_CERT_FILE");
-		if (ca_cert_file == NULL &&
-		    access(LOCAL_CERT_FILE, R_OK) == 0)
-			ca_cert_file = LOCAL_CERT_FILE;
-		if (ca_cert_file == NULL &&
-		    access(BASE_CERT_FILE, R_OK) == 0)
-			ca_cert_file = BASE_CERT_FILE;
 		ca_cert_path = getenv("SSL_CA_CERT_PATH");
 		if (verbose) {
 			fetch_info("Peer verification enabled");
-- 
2.41.0