From owner-freebsd-stable@freebsd.org Sat Jun 18 09:55:37 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F326A78777 for ; Sat, 18 Jun 2016 09:55:37 +0000 (UTC) (envelope-from wolfgang@lyxys.ka.sub.org) Received: from saturn.lyxys.ka.sub.org (saturn.lyxys.ka.sub.org [217.29.35.151]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8CB5F1299 for ; Sat, 18 Jun 2016 09:55:35 +0000 (UTC) (envelope-from wolfgang@lyxys.ka.sub.org) Received: from juno.lyxys.ka.sub.org (juno.lyx [IPv6:fd2a:89ca:7d54:0:240:caff:fe92:4f47]) by saturn.lyxys.ka.sub.org (8.15.2/8.15.2) with ESMTPS id u5I9tCg1060094 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=FAIL) for ; Sat, 18 Jun 2016 11:55:13 +0200 (CEST) (envelope-from wolfgang@lyxys.ka.sub.org) Received: from juno.lyxys.ka.sub.org (localhost [127.0.0.1]) by juno.lyxys.ka.sub.org (8.15.2/8.15.2) with ESMTPS id u5I9tCQY062444 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 18 Jun 2016 11:55:12 +0200 (CEST) (envelope-from wolfgang@lyxys.ka.sub.org) Received: (from wolfgang@localhost) by juno.lyxys.ka.sub.org (8.15.2/8.15.2/Submit) id u5I9tCKl062443 for freebsd-stable@freebsd.org; Sat, 18 Jun 2016 11:55:12 +0200 (CEST) (envelope-from wolfgang@lyxys.ka.sub.org) X-Authentication-Warning: juno.lyx: wolfgang set sender to wolfgang@lyxys.ka.sub.org using -f Date: Sat, 18 Jun 2016 11:55:12 +0200 From: Wolfgang Zenker To: freebsd-stable@freebsd.org Subject: Re: new certificate for svn.freebsd.org? Message-ID: <20160618095512.GA62084@lyxys.ka.sub.org> References: <69edafc5-a368-77f6-aee7-81ab3c845e18@precisionforesight.com> <661d8bbb-ffa3-e42b-cff6-629733adedaf@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <661d8bbb-ffa3-e42b-cff6-629733adedaf@FreeBSD.org> Organization: private site User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (saturn.lyxys.ka.sub.org [IPv6:fd2a:89ca:7d54:1:200:24ff:feca:b4cc]); Sat, 18 Jun 2016 11:55:13 +0200 (CEST) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jun 2016 09:55:37 -0000 * Matthew Seaman [160618 11:21]: > On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote: >> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org. >> The new certificate is in place on the 4 mirrors that I found (US East, >> US West, UK, Russia) but didn't verify cleanly and wasn't in the >> documentation. >> For me, the fix was in Dimitry's mail, a step I probably missed when >> installing security/ca_root_nss: >> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem > There's an option in the ca_root_nss port to create the symlink, which > is enabled by default. That option only exists because the ports are > not supposed to touch anything outside /usr/local -- except that for > this port, not creating the symlink for /etc/ssl/cert.pm pretty much > renders the whole port pointless. > Even so, the option used to be off by default: the change to 'on by > default' was made almost exactly a year ago, and there have been several > changes to the list of certs since, so not having the symlink in place > indicates either that you haven't updated your ports recently, or that > you've specifically chosen not to enable the symlink. In which case you > wouldn't have been able to validate the previous cert either. I first installed the port a couple of years ago and updated regularly, but of course the options value of not installing the symlink, which I then accepted as default, had been saved and was automatically used in every update since. I could not validate the previous cert either, but could check the hash against the published version. Now using "make rmconfig" and reinstalling the port fixed it for me. Maybe we should consider bringing the config dialog up again in ports where default values are changed? Wolfgang