Date: Mon, 19 Jan 2015 12:28:29 +0000 From: "Baptiste Daroussin" <bapt@freebsd.org> To: freebsd-pkg@freebsd.org Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD Message-ID: <20972e667a7be6d86a3689c18e916b1f@mail.etoilebsd.net> In-Reply-To: <54BCEA6F.9050108@infracaninophile.co.uk> References: <54BCEA6F.9050108@infracaninophile.co.uk> <afee7e679b57440a9006c1d5ba6892c1@NODEXCHMBX001.TechMahindra.com> <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
January 19 2015 12:29 PM, "Matthew Seaman" <m.seaman@infracaninophile.co.=
uk> wrote: =0A> On 01/19/15 11:07, Baptiste Daroussin wrote:=0A> =0A>> Ja=
nuary 1 2015 8:09 AM, "Mohit Hasija" <mh00122988@techmahindra.com> wrote:=
=0A>>> Dear Pkg port Manager,=0A>>> =0A>>> We intend to use client certi=
ficates for https authentication during retreival of a package from=0A>> =
a=0A>>> custom repository built at remote location.=0A>>> =0A>>> We want =
to know the following:=0A>>> =0A>>> 1.Is there inbuilt support for usage =
of client certifcates with "pkg" comamnd on freeBSD 10.1=0A>>> release?=
=0A>>> =0A>>> In case Yes, how can we use the client certifcates with pkg=
on freeBSD?=0A>>> =0A>>> In case No, how can we add support to pkg with =
minimal effrts for using client certifcates?=0A>>> =0A>>> Awaiting an ear=
ly reply...=0A>>> =0A>>> regards=0A>>> =0A>>> Mohit Hasija=0A>>> Mobile N=
o.: +91-9958302266=0A>> =0A>> pkg(8) is using libfetch to handle http(s) =
and I'm not sure libfetch does support such feature.=0A>> =0A>> Adding su=
ch feature to libfetch would be great but that would also means it will n=
ot find its way=0A>> to FreeBSD 10.1 as FreeBSD 10.1 is already released.=
=0A>> =0A>> FYI: I added pkg@FreeBSD.org to CC as it is the right list to=
discuss such things.=0A> =0A> This should be possible -- see the fetch(3=
) man page, especially the=0A> ENVIRONMENT section where it mentions amon=
gst other things:=0A> =0A> SSL_CLIENT_CERT_FILE=0A> PEM encoded client ce=
rtificate/key which will be used=0A> in client certificate authentication=
.=0A> =0A> SSL_CLIENT_KEY_FILE=0A> PEM encoded client key in case key and=
client cer-=0A> tificate are stored separately.=0A> =0A> Simply set thos=
e environment variables to appropriate values and it=0A> should just work=
. You may need to add settings to tell fetch(3) to=0A> trust the server c=
ertificates. If you can make the client cert=0A> authentication work with=
fetch(1) -- which might be easier to debug --=0A> then it should work wi=
th pkg(8). Do let us know how you get on.=0A> =0A> Cheers,=0A=0Aif it wor=
ks with those environment variable, then you can add them right into your=
pkg.conf=0APKG_ENV: {=0A SSL_CLIENT_CERT_FILE: ...=0A SSL_CLIENT_KEY_F=
ILE: ...=0A}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20972e667a7be6d86a3689c18e916b1f>