From owner-svn-src-stable@freebsd.org Mon Jun 6 11:08:06 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0E0AB6D23B; Mon, 6 Jun 2016 11:08:06 +0000 (UTC) (envelope-from grembo@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 72C1319AC; Mon, 6 Jun 2016 11:08:06 +0000 (UTC) (envelope-from grembo@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u56B85QS091223; Mon, 6 Jun 2016 11:08:05 GMT (envelope-from grembo@FreeBSD.org) Received: (from grembo@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u56B85VY091221; Mon, 6 Jun 2016 11:08:05 GMT (envelope-from grembo@FreeBSD.org) Message-Id: <201606061108.u56B85VY091221@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: grembo set sender to grembo@FreeBSD.org using -f From: Michael Gmelin Date: Mon, 6 Jun 2016 11:08:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r301500 - in stable/10: lib/libfetch usr.bin/fetch X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2016 11:08:06 -0000 Author: grembo (ports committer) Date: Mon Jun 6 11:08:05 2016 New Revision: 301500 URL: https://svnweb.freebsd.org/changeset/base/301500 Log: MFC r297052: Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles Modified: stable/10/lib/libfetch/fetch.3 stable/10/usr.bin/fetch/fetch.1 Directory Properties: stable/10/ (props changed) Modified: stable/10/lib/libfetch/fetch.3 ============================================================================== --- stable/10/lib/libfetch/fetch.3 Mon Jun 6 10:21:53 2016 (r301499) +++ stable/10/lib/libfetch/fetch.3 Mon Jun 6 11:08:05 2016 (r301500) @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 1998-2013 Dag-Erling Smørgrav -.\" Copyright (c) 2013 Michael Gmelin +.\" Copyright (c) 2013-2016 Michael Gmelin .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 29, 2015 +.Dd March 18, 2016 .Dt FETCH 3 .Os .Sh NAME @@ -396,8 +396,15 @@ is currently unimplemented. .Sh HTTPS SCHEME Based on HTTP SCHEME. By default the peer is verified using the CA bundle located in -.Pa /etc/ssl/cert.pem . -The file may contain multiple CA certificates. +.Pa /usr/local/etc/ssl/cert.pem . +If this file does not exist, +.Pa /etc/ssl/cert.pem +is used instead. +If neither file exists, and +.Ev SSL_CA_CERT_PATH +has not been set, +OpenSSL's default CA cert and path settings apply. +The certificate bundle can contain multiple CA certificates. A common source of a current CA bundle is .Pa \%security/ca_root_nss . .Pp @@ -428,10 +435,11 @@ Client certificate based authentication The environment variable .Ev SSL_CLIENT_CERT_FILE should be set to point to a file containing key and client certificate -to be used in PEM format. In case the key is stored in a separate -file, the environment variable +to be used in PEM format. +When a PEM-format key is in a separate file from the client certificate, +the environment variable .Ev SSL_CLIENT_KEY_FILE -can be set to point to the key in PEM format. +can be set to point to the key file. In case the key uses a password, the user will be prompted on standard input (see .Xr PEM 3 ) . @@ -531,7 +539,7 @@ Invalid URL .El .Pp The accompanying error message includes a protocol-specific error code -and message, e.g.\& "File is not available (404 Not Found)" +and message, like "File is not available (404 Not Found)" .Sh ENVIRONMENT .Bl -tag -width ".Ev FETCH_BIND_ADDRESS" .It Ev FETCH_BIND_ADDRESS @@ -648,8 +656,7 @@ for compatibility. Allow SSL version 3 when negotiating the connection (not recommended). .It Ev SSL_CA_CERT_FILE CA certificate bundle containing trusted CA certificates. -Default value: -.Pa /etc/ssl/cert.pem . +Default value: See HTTPS SCHEME above. .It Ev SSL_CA_CERT_PATH Path containing trusted CA hashes. .It Ev SSL_CLIENT_CERT_FILE Modified: stable/10/usr.bin/fetch/fetch.1 ============================================================================== --- stable/10/usr.bin/fetch/fetch.1 Mon Jun 6 10:21:53 2016 (r301499) +++ stable/10/usr.bin/fetch/fetch.1 Mon Jun 6 11:08:05 2016 (r301500) @@ -1,6 +1,6 @@ .\"- .\" Copyright (c) 2000-2014 Dag-Erling Smørgrav -.\" Copyright (c) 2013 Michael Gmelin +.\" Copyright (c) 2013-2016 Michael Gmelin .\" All rights reserved. .\" Portions Copyright (c) 1999 Massachusetts Institute of Technology; used .\" by permission. @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 25, 2015 +.Dd March 18, 2016 .Dt FETCH 1 .Os .Sh NAME @@ -134,11 +134,17 @@ only. [SSL] Path to certificate bundle containing trusted CA certificates. If not specified, -.Pa /etc/ssl/cert.pem +.Pa /usr/local/etc/ssl/cert.pem is used. -The file may contain multiple CA certificates. The port +If this file does not exist, +.Pa /etc/ssl/cert.pem +is used instead. +If neither file exists and no CA path has been configured, +OpenSSL's default CA cert and path settings apply. +The certificate bundle can contain multiple CA certificates. +The .Pa security/ca_root_nss -is a common source of a current CA bundle. +port is a common source of a current CA bundle. .It Fl -ca-path= Ns Ar dir [SSL] The directory @@ -218,10 +224,16 @@ altogether, or a comma- or whitespace-se which proxies should not be used. .It Fl -no-sslv3 [SSL] -Don't allow SSL version 3 when negotiating the connection. +Do not allow SSL version 3 when negotiating the connection. +This option is deprecated and is provided for backward compatibility +only. +SSLv3 is disabled by default. +Set +.Ev SSL_ALLOW_SSL3 +to change this behavior. .It Fl -no-tlsv1 [SSL] -Don't allow TLS version 1 when negotiating the connection. +Do not allow TLS version 1 when negotiating the connection. .It Fl -no-verify-hostname [SSL] Do not verify that the hostname matches the subject of the @@ -351,8 +363,10 @@ for a description of additional environm .Ev SSL_CLIENT_CERT_FILE , .Ev SSL_CLIENT_KEY_FILE , .Ev SSL_CRL_FILE , -.Ev SSL_NO_SSL3 , +.Ev SSL_ALLOW_SSL3 , .Ev SSL_NO_TLS1 , +.Ev SSL_NO_TLS1_1 , +.Ev SSL_NO_TLS1_2 , .Ev SSL_NO_VERIFY_HOSTNAME and .Ev SSL_NO_VERIFY_PEER .