Bug 194145

Summary: /usr/local/share/certs/ca-root-nss.crt is not pointed to by default for lang/php56
Product: Ports & Packages Reporter: Larry Rosenman <ler>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: ale
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Larry Rosenman freebsd_committer freebsd_triage 2014-10-04 20:03:25 UTC 
apparently the php 5.6 default changed to verify_peer => TRUE, and the default 
ca bundle should be built in somewhere, but apparently it's not. 

Can someone(tm) look into this?
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2014-10-04 20:03:25 UTC 
Maintainers CC'd
Comment 2 Alex Dupre freebsd_committer freebsd_triage 2014-10-07 10:15:56 UTC 
I don't understand what is the problem, no context, no details.
Comment 3 Larry Rosenman freebsd_committer freebsd_triage 2014-10-07 13:19:45 UTC 
When I set up SSL on PHP 5.6 for my roundcube, it failed the validation for my certificate since the ca-nss bundle is NOT pointed to by PHP. 

PHO seems(!) to  be using /etc/openssl/* whereas the ca-nss bundle is installed in 
/usr/local/share/certs/ca-root-nss.crt.

PHP 5.6 changed the default to VERIFY_PEER => true, from false to increase security
and it needs the CA bundle.
Comment 4 Alex Dupre freebsd_committer freebsd_triage 2014-10-07 13:44:53 UTC 
ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
Comment 5 Larry Rosenman freebsd_committer freebsd_triage 2014-10-07 14:34:52 UTC 
shouldn't that be handled automatically?
Comment 6 Alex Dupre freebsd_committer freebsd_triage 2014-10-07 14:39:00 UTC 
ca_root_nss has an option to create it automatically: http://svnweb.freebsd.org/ports/head/security/ca_root_nss/Makefile?revision=369237&view=markup
Comment 7 Larry Rosenman freebsd_committer freebsd_triage 2014-10-07 14:42:51 UTC 
Thank You. 

Should we maybe consider making that option a default?