From owner-freebsd-stable@freebsd.org Sat Jun 18 09:21:58 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE185A77C86 for ; Sat, 18 Jun 2016 09:21:58 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F1A51331 for ; Sat, 18 Jun 2016 09:21:58 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 446874E00 for ; Sat, 18 Jun 2016 09:21:45 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/446874E00; dkim=none; dkim-atps=neutral Subject: Re: new certificate for svn.freebsd.org? To: freebsd-stable@freebsd.org References: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> From: Matthew Seaman Message-ID: <661d8bbb-ffa3-e42b-cff6-629733adedaf@FreeBSD.org> Date: Sat, 18 Jun 2016 10:21:38 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="8hDERqM1GHQoMbu2rSpqTguBK6lfOGDEK" X-Virus-Scanned: clamav-milter 0.99.2 at smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jun 2016 09:21:58 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8hDERqM1GHQoMbu2rSpqTguBK6lfOGDEK Content-Type: multipart/mixed; boundary="Q3FgsoRdmrDqoHvmcHTr9Bd6fU60LWKqu" From: Matthew Seaman To: freebsd-stable@freebsd.org Message-ID: <661d8bbb-ffa3-e42b-cff6-629733adedaf@FreeBSD.org> Subject: Re: new certificate for svn.freebsd.org? References: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> In-Reply-To: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> --Q3FgsoRdmrDqoHvmcHTr9Bd6fU60LWKqu Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote: > It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. > The new certificate is in place on the 4 mirrors that I found (US East,= > US West, UK, Russia) but didn't verify cleanly and wasn't in the > documentation. >=20 > For me, the fix was in Dimitry's mail, a step I probably missed when > installing security/ca_root_nss: >=20 > sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem There's an option in the ca_root_nss port to create the symlink, which is enabled by default. That option only exists because the ports are not supposed to touch anything outside /usr/local -- except that for this port, not creating the symlink for /etc/ssl/cert.pm pretty much renders the whole port pointless. Even so, the option used to be off by default: the change to 'on by default' was made almost exactly a year ago, and there have been several changes to the list of certs since, so not having the symlink in place indicates either that you haven't updated your ports recently, or that you've specifically chosen not to enable the symlink. In which case you wouldn't have been able to validate the previous cert either. There really is no excuse for not updating the ca_root_nss port immediately there are updates available. Otherwise you can end up trusting certificates that have since been shown to be less than trustworthy. That you couldn't verify the cert is not a bug in FreeBSD, but a configuration problem in your own system. Not having the right fingerprint in the docs certainly is a bug which I'm sure will be addressed soon. Cheers, Matthew --Q3FgsoRdmrDqoHvmcHTr9Bd6fU60LWKqu-- --8hDERqM1GHQoMbu2rSpqTguBK6lfOGDEK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJXZRKoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATiJgQAJojzPoXBXE9WJPfb0d06Vm2 CaxvuvwT6AR3gCTuSSNGXWHNmhzniY8nDUN8YyLW1WyNRSAzYecHm8oOhBJA/nTc rQ/HU3Z8jjCQwUvFGzlvo4As8ABn5XjlISwSGG4pZcUjaZQsM0sjAgXMFEe56hG5 g4IRBNF3hv6wPmbcfN7MWFuFjKPMWY2cUvNx+nY7Han8dUnkbHGYcG4/MzQ9fM9p 6JYjfHWc383A5FdjrJzQevXkkejkvol4ELsXi9JubDq3su1KtkhIhrJynrFX9WYb 79CcDiDYxv5t14q+Zh2uAAbZPuu5KPikbFx5YEW5C4Wt+K+rVjdIw7+1t7ay99oL Ew7o+XG8ZXvj0QEZDQ6p4s2ttZQ4ozQQHXazp8eJDf3isgAV2h2jW00acVPa6AW3 8g+WaXY3RzIU4y7FoCG7NrT04MoY72YMiIIg+9bnc5EUeMAKNnOK6MEAROFWVoL4 2Hr1VH5grM6zyp6+Eq6HaSdGSglrzjxusFda2iITwN/7p4iu40jYT5yNajX4K/eB PWVsee+57V8NOKuwSlb07Fox5jTI3j1TwTUjkpDe8UAm+EFm/frVOd4/OXce/9qV UvSxwit7Lcyq6x06is4tbA4V9UT4tsNaTClUg0cWtZ59juf2eue+55L1cf1iXRGB STOKoJKN3fFVwqkd0PeJ =1cBY -----END PGP SIGNATURE----- --8hDERqM1GHQoMbu2rSpqTguBK6lfOGDEK--