|Summary:||emulators/linux_base-c7: missing ca-certificates|
|Product:||Ports & Packages||Reporter:||Johannes Jost Meixner <xmj>|
|Component:||Individual Port(s)||Assignee:||freebsd-emulation (Nobody) <emulation>|
|Severity:||Affects Only Me||CC:||grobe0ba|
Description Johannes Jost Meixner 2020-02-29 11:31:04 UTC
Linux emulation in ports seems to ship without the ca-certificates RPM, which makes packages like cURL painful to use with SSL-enabled websites. Please consider adding the ca-certificates RPM to the portstree, preferably into the base package. Source: https://pkgs.org/download/ca-certificates links https://centos.pkgs.org/7/centos-updates-x86_64/ca-certificates-2019.2.32-76.el7_7.noarch.rpm.html at the time of writing. Thanks, -xmj
Comment 1 Byron Grobe 2020-02-29 17:45:39 UTC
<jell48> finally got the traces out with "truss chroot /compat/linux curl https://google.com 2>&1". almost all of the files are found, except for "linux_open("/proc/sys/crypto/fips_enabled",0x0,0666) ERR#-2 'No such file or directory'". not sure how relevant is that crypto for curl to function (or is that a real cause)? Recent versions of OpenSSL and other SSL libraries on Linux check for a kernel/userland setup that operates in a FIPS certified mode, which whether or not it is used, it includes a sysctl visible under /proc/sys/crypto/fips_enabled. When the system is not in this mode, /proc/sys/crypto/fips_enabled should have a content of ASCII 0 (for false), which it should always be under emulation since we don't do FIPS certified crypto under linux emulation.