Bug 244518 - emulators/linux_base-c7: missing ca-certificates
Summary: emulators/linux_base-c7: missing ca-certificates
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-emulation (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-29 11:31 UTC by Johannes Jost Meixner
Modified: 2022-01-16 07:41 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (emulation)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Jost Meixner freebsd_committer freebsd_triage 2020-02-29 11:31:04 UTC
Linux emulation in ports seems to ship without the ca-certificates RPM, which makes packages like cURL painful to use with SSL-enabled websites.

Please consider adding the ca-certificates RPM to the portstree, preferably into the base package.

Source:

https://pkgs.org/download/ca-certificates

links https://centos.pkgs.org/7/centos-updates-x86_64/ca-certificates-2019.2.32-76.el7_7.noarch.rpm.html
at the time of writing.

Thanks,
-xmj
Comment 1 Byron Grobe 2020-02-29 17:45:39 UTC
<jell48> finally got the traces out with "truss chroot /compat/linux  curl https://google.com 2>&1". almost all of the files are found, except for "linux_open("/proc/sys/crypto/fips_enabled",0x0,0666) ERR#-2 'No such file or directory'". not sure how relevant is that crypto for curl to function (or is that a real cause)?

Recent versions of OpenSSL and other SSL libraries on Linux check for a kernel/userland setup that operates in a FIPS certified mode, which whether or not it is used, it includes a sysctl visible under /proc/sys/crypto/fips_enabled.
When the system is not in this mode, /proc/sys/crypto/fips_enabled should have a content of ASCII 0 (for false), which it should always be under emulation since we don't do FIPS certified crypto under linux emulation.
Comment 2 Byron Grobe 2020-02-29 18:07:47 UTC
(In reply to Byron Grobe from comment #1)
From further discussion in #freebsd, it appears the proper location to do this would be in linprocfs.
Comment 3 Edward Tomasz Napierala freebsd_committer freebsd_triage 2022-01-16 07:41:45 UTC
I'm not sure if the /proc file is the problem here.  In strace output, I can see:

stat("/etc/pki/tls/certs/ca-bundle.crt", 0x7fffffffb8c0) = -1 ENOENT (No such file or directory)

Providing this file - eg by copying from FreeBSD's /usr/local/share/certs/ca-root-nss.crt - makes Linux curl work.