Date: Wed, 29 Aug 2018 18:24:33 +0000 From: bugzilla-noreply@freebsd.org To: rc@FreeBSD.org Subject: [Bug 228621] [patch] Certificate validation error in ntpd leap file / ietf.org chain Message-ID: <bug-228621-20181-MSPdANLZQL@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-228621-20181@https.bugs.freebsd.org/bugzilla/> References: <bug-228621-20181@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D228621 Jeremy Chadwick <jdc@koitsu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jdc@koitsu.org --- Comment #3 from Jeremy Chadwick <jdc@koitsu.org> --- I haven't seen this error myself and I bet many users haven't as well. My theory is that this is because we happen to have ca_root_nss installed via = pkg (a.k.a. security/ca_root_nss in ports). This is a common dependency in many different packages. ca_root_nss package is responsible for creating /usr/local/etc/ssl/cert.pem, which base system OpenSSL (libssl.so.8) reads/honours. You can verify this with truss. pkg info -l ca_root_nss will not show this file in its packaging list becau= se of how ca_root_nss works. Some part of the pkg/port creates a hard link of /usr/local/etc/ssl/cert.pem --> /usr/local/share/certs/ca-root-nss.crt, of which the latter *is* in the package list. The pkg-message says it uses a symlink but this is false; see PR 228550 for details. This is really part of a bigger problem that is the whole "base system" concept, but I don't want to get off-topic. The --no-verify-peer kludge sh= ould be acceptable, though I would strongly suggest asking secteam@ first. --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-228621-20181-MSPdANLZQL>