Bug 234421

Comment 1 Christoph Moench-Tegeder 2019-02-28 13:26:04 UTC

Ping?

The easiest improvement would be a BUILD_DEPENDS on security/ca_root_nss and copy $[PREFIX}/share/certs/ca-root-nss.crt from there - but embedding a certificate which is managed elsewhere is rather clumsy. A much more elegant way would be using the installed certificate from ca_root_nss at runtime - but I haven't really looked into the amount of patching required for that. Any comments?

Hi!

Sorry on the delay.

Yes, that's the best way; it should depend on ca_root_nss and use it at run-time.

Would you be able to make this change?

Thanks,
-Joe

I am attaching a patch that resolves the old certificate inclusion, by depending upon ca_root_nss package. Additionally, a dependency upon curl was missing.

I've bumped the port revision with these changes.

Tested on 12.0-RELEASE and 11.2-RELEASE for basic functionality.

Thanks,
-Joe

Created attachment 202790 [details]
vagrant 2.2.4_1 with curl and ca_root_nss dependencies

Comment 5 Christoph Moench-Tegeder 2019-03-11 09:01:42 UTC

I'll look into this later this week (curse of the consultant: lots of travel).

Comment 6 commit-hook 2019-03-14 23:16:07 UTC

A commit references this bug:

Author: cmt
Date: Thu Mar 14 23:15:29 UTC 2019
New revision: 495742
URL: https://svnweb.freebsd.org/changeset/ports/495742

Log:
  Use CA certificates from ca_root_nss for TLS validation

  instead of embedding a very old version of that file, and depend
  on ca_root_nss for that.
  Add dependency on curl, which has been missing for a long time.

  PR:		234421
  Submitted by:	joe@thrallingpenguin.com
  Reported by:	corvid@openmailbox.org
  Approved by:	joe@thrallingpenguin.com (maintainer)

Changes:
  head/sysutils/vagrant/Makefile
  head/sysutils/vagrant/files/cacert.pem
  head/sysutils/vagrant/files/patch-bin_vagrant
  head/sysutils/vagrant/pkg-plist

Comment 7 Christoph Moench-Tegeder 2019-03-14 23:18:07 UTC

committed ports r495742 - thanks!