Date: Mon, 19 Jan 2015 12:28:29 +0000 From: "Baptiste Daroussin" <bapt@freebsd.org> To: freebsd-pkg@freebsd.org Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD Message-ID: <20972e667a7be6d86a3689c18e916b1f@mail.etoilebsd.net> In-Reply-To: <54BCEA6F.9050108@infracaninophile.co.uk> References: <54BCEA6F.9050108@infracaninophile.co.uk> <afee7e679b57440a9006c1d5ba6892c1@NODEXCHMBX001.TechMahindra.com> <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
January 19 2015 12:29 PM, "Matthew Seaman" <m.seaman@infracaninophile.co.= uk> wrote: =0A> On 01/19/15 11:07, Baptiste Daroussin wrote:=0A> =0A>> Ja= nuary 1 2015 8:09 AM, "Mohit Hasija" <mh00122988@techmahindra.com> wrote:= =0A>>> Dear Pkg port Manager,=0A>>> =0A>>> We intend to use client certi= ficates for https authentication during retreival of a package from=0A>> = a=0A>>> custom repository built at remote location.=0A>>> =0A>>> We want = to know the following:=0A>>> =0A>>> 1.Is there inbuilt support for usage = of client certifcates with "pkg" comamnd on freeBSD 10.1=0A>>> release?= =0A>>> =0A>>> In case Yes, how can we use the client certifcates with pkg= on freeBSD?=0A>>> =0A>>> In case No, how can we add support to pkg with = minimal effrts for using client certifcates?=0A>>> =0A>>> Awaiting an ear= ly reply...=0A>>> =0A>>> regards=0A>>> =0A>>> Mohit Hasija=0A>>> Mobile N= o.: +91-9958302266=0A>> =0A>> pkg(8) is using libfetch to handle http(s) = and I'm not sure libfetch does support such feature.=0A>> =0A>> Adding su= ch feature to libfetch would be great but that would also means it will n= ot find its way=0A>> to FreeBSD 10.1 as FreeBSD 10.1 is already released.= =0A>> =0A>> FYI: I added pkg@FreeBSD.org to CC as it is the right list to= discuss such things.=0A> =0A> This should be possible -- see the fetch(3= ) man page, especially the=0A> ENVIRONMENT section where it mentions amon= gst other things:=0A> =0A> SSL_CLIENT_CERT_FILE=0A> PEM encoded client ce= rtificate/key which will be used=0A> in client certificate authentication= .=0A> =0A> SSL_CLIENT_KEY_FILE=0A> PEM encoded client key in case key and= client cer-=0A> tificate are stored separately.=0A> =0A> Simply set thos= e environment variables to appropriate values and it=0A> should just work= . You may need to add settings to tell fetch(3) to=0A> trust the server c= ertificates. If you can make the client cert=0A> authentication work with= fetch(1) -- which might be easier to debug --=0A> then it should work wi= th pkg(8). Do let us know how you get on.=0A> =0A> Cheers,=0A=0Aif it wor= ks with those environment variable, then you can add them right into your= pkg.conf=0APKG_ENV: {=0A SSL_CLIENT_CERT_FILE: ...=0A SSL_CLIENT_KEY_F= ILE: ...=0A}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20972e667a7be6d86a3689c18e916b1f>