Date: Sun, 8 Oct 2023 21:04:38 +0200 From: =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org> To: Koichiro Iwao <meta@freebsd.org> Cc: Dag-Erling =?UTF-8?B?U23DuHJncmF2?= <des@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, ports@freebsd.org Subject: Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink. Message-ID: <20231008210438.1d6f0953@hal.tijl.coosemans.org> In-Reply-To: <e3g73uqrsnhlvufy6fqvcnhpmk2end6oaawwqjgfyn3avpxchq@kkxcogbrjalt> References: <202310061549.396Fn8xF027032@gitrepo.freebsd.org> <u5u2xbbkwwmnicmloyujjmaslmtnpmnegksa337odkhhwrr2cd@s4ejluqaephk> <868r8eeja5.fsf@ltc.des.no> <j5hsadyeheayonhr5zudy2xurjtujxt3o6ilyyv4z7eej4zxnl@ptiztdqopea2> <e3g73uqrsnhlvufy6fqvcnhpmk2end6oaawwqjgfyn3avpxchq@kkxcogbrjalt>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 Oct 2023 04:56:43 +0900 Koichiro Iwao <meta@freebsd.org> wrote: > On Sat, Oct 07, 2023 at 09:03:19PM +0900, Koichiro Iwao wrote: >> On Sat, Oct 07, 2023 at 01:58:26PM +0200, Dag-Erling Sm=C3=B8rgrav wrote= : =20 >>> Koichiro Iwao <meta@freebsd.org> writes: =20 >>>> % LANG=3DC wget -O - https://www.freebsd.org >>>> --2023-10-07 19:50:58-- https://www.freebsd.org/ >>>> Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2= 405:f000:202:2541::50:3, 192.50.199.250, ... >>>> Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:= 443... connected. >>>> ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=3DR3= ,O=3DLet\'s Encrypt,C=3DUS': >>>> Unable to locally verify the issuer's authority. >>>> To connect to www.freebsd.org insecurely, use `--no-check-certificate'= . =20 >>>=20 >>> I'm unable to reproduce this on 13.2. Running wget under ktrace shows >>> that although it first looks for the nonexistent bundle, it correctly >>> falls back to the system trust store. =20 >=20 > Regarding wget, it was an issue with security/openssl. >=20 > I'm using openssl from ports: > > DEFAULT_VERSIONS+=3D ssl=3Dopenssl =20 >=20 > As far as I tried debugging with ktrace, security/openssl doesn't > fallback to /etc/ssl/certs directory. >=20 > % LANG=3DC ktrace wget -O /dev/null https://www.freebsd.org/ > --2023-10-08 04:32:45-- https://www.freebsd.org/ > Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405= :f000:202:2541::50:3, 210.231.212.93, ... > Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443= ... connected. > ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=3DR3,O= =3DLet\'s Encrypt,C=3DUS': > Unable to locally verify the issuer's authority. > To connect to www.freebsd.org insecurely, use `--no-check-certificate'. >=20 > % kdump -tn |grep -e "/etc" -e "certs" > 28088 wget NAMI "/etc/libmap.conf" > 28088 wget NAMI "/usr/local/etc/libmap.d" > 28088 wget NAMI "/usr/local/etc/libmap.d/mesa.conf" > 28088 wget NAMI "/etc/malloc.conf" > 28088 wget NAMI "/usr/local/etc/wgetrc" > 28088 wget NAMI "/usr/local/etc/wgetrc" > 28088 wget NAMI "/etc/localtime" > 28088 wget NAMI "/etc/nsswitch.conf" > 28088 wget NAMI "/etc/nsswitch.conf" > 28088 wget NAMI "/etc/hosts" > 28088 wget NAMI "/etc/resolv.conf" > 28088 wget NAMI "/usr/local/openssl/certs/8d33f237.0" > 28088 wget NAMI "/usr/local/openssl/certs/4042bcee.0" > 28088 wget NAMI "/usr/local/openssl/certs/2e5ac55d.0" > 28088 wget NAMI "/usr/local/openssl/certs/2e5ac55d.0" > 28088 wget NAMI "/usr/local/openssl/certs/bfabe37b.0" >=20 > % ls -l /usr/local/openssl/certs > (empty) >=20 > # rmdir /usr/local/openssl/certs > # ln -s /etc/ssl/certs /usr/local/openssl >=20 > So I replaced /usr/local/openssl/certs directory with a symlink to > /etc/ssl/certs directory. The workaround worked perfectly. >=20 > The security/openssl port might need some adjustment. After ca_root_nss > quit providing /usr/local/openssl/cert.pem symlink, /etc/ssl/certs should > be added to the search path. Otherwise, openssl port cannot find root > certificates installed by ca_root_nss. There's a patch for security/openssl in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269473
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20231008210438.1d6f0953>