Date: Sat, 18 Jun 2016 10:21:38 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: new certificate for svn.freebsd.org? Message-ID: <661d8bbb-ffa3-e42b-cff6-629733adedaf@FreeBSD.org> In-Reply-To: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> References: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8hDERqM1GHQoMbu2rSpqTguBK6lfOGDEK Content-Type: multipart/mixed; boundary="Q3FgsoRdmrDqoHvmcHTr9Bd6fU60LWKqu" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-stable@freebsd.org Message-ID: <661d8bbb-ffa3-e42b-cff6-629733adedaf@FreeBSD.org> Subject: Re: new certificate for svn.freebsd.org? References: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> In-Reply-To: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> --Q3FgsoRdmrDqoHvmcHTr9Bd6fU60LWKqu Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote: > It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. > The new certificate is in place on the 4 mirrors that I found (US East,= > US West, UK, Russia) but didn't verify cleanly and wasn't in the > documentation. >=20 > For me, the fix was in Dimitry's mail, a step I probably missed when > installing security/ca_root_nss: >=20 > sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem There's an option in the ca_root_nss port to create the symlink, which is enabled by default. That option only exists because the ports are not supposed to touch anything outside /usr/local -- except that for this port, not creating the symlink for /etc/ssl/cert.pm pretty much renders the whole port pointless. Even so, the option used to be off by default: the change to 'on by default' was made almost exactly a year ago, and there have been several changes to the list of certs since, so not having the symlink in place indicates either that you haven't updated your ports recently, or that you've specifically chosen not to enable the symlink. In which case you wouldn't have been able to validate the previous cert either. There really is no excuse for not updating the ca_root_nss port immediately there are updates available. Otherwise you can end up trusting certificates that have since been shown to be less than trustworthy. That you couldn't verify the cert is not a bug in FreeBSD, but a configuration problem in your own system. Not having the right fingerprint in the docs certainly is a bug which I'm sure will be addressed soon. Cheers, Matthew --Q3FgsoRdmrDqoHvmcHTr9Bd6fU60LWKqu-- --8hDERqM1GHQoMbu2rSpqTguBK6lfOGDEK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXZRKoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATiJgQAJojzPoXBXE9WJPfb0d06Vm2 CaxvuvwT6AR3gCTuSSNGXWHNmhzniY8nDUN8YyLW1WyNRSAzYecHm8oOhBJA/nTc rQ/HU3Z8jjCQwUvFGzlvo4As8ABn5XjlISwSGG4pZcUjaZQsM0sjAgXMFEe56hG5 g4IRBNF3hv6wPmbcfN7MWFuFjKPMWY2cUvNx+nY7Han8dUnkbHGYcG4/MzQ9fM9p 6JYjfHWc383A5FdjrJzQevXkkejkvol4ELsXi9JubDq3su1KtkhIhrJynrFX9WYb 79CcDiDYxv5t14q+Zh2uAAbZPuu5KPikbFx5YEW5C4Wt+K+rVjdIw7+1t7ay99oL Ew7o+XG8ZXvj0QEZDQ6p4s2ttZQ4ozQQHXazp8eJDf3isgAV2h2jW00acVPa6AW3 8g+WaXY3RzIU4y7FoCG7NrT04MoY72YMiIIg+9bnc5EUeMAKNnOK6MEAROFWVoL4 2Hr1VH5grM6zyp6+Eq6HaSdGSglrzjxusFda2iITwN/7p4iu40jYT5yNajX4K/eB PWVsee+57V8NOKuwSlb07Fox5jTI3j1TwTUjkpDe8UAm+EFm/frVOd4/OXce/9qV UvSxwit7Lcyq6x06is4tbA4V9UT4tsNaTClUg0cWtZ59juf2eue+55L1cf1iXRGB STOKoJKN3fFVwqkd0PeJ =1cBY -----END PGP SIGNATURE----- --8hDERqM1GHQoMbu2rSpqTguBK6lfOGDEK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?661d8bbb-ffa3-e42b-cff6-629733adedaf>