Date: Mon, 19 Jan 2015 12:28:29 +0000 From: "Baptiste Daroussin" <bapt@freebsd.org> To: freebsd-pkg@freebsd.org Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD Message-ID: <20972e667a7be6d86a3689c18e916b1f@mail.etoilebsd.net> In-Reply-To: <54BCEA6F.9050108@infracaninophile.co.uk> References: <54BCEA6F.9050108@infracaninophile.co.uk> <afee7e679b57440a9006c1d5ba6892c1@NODEXCHMBX001.TechMahindra.com> <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net>
index | next in thread | previous in thread | raw e-mail
January 19 2015 12:29 PM, "Matthew Seaman" <m.seaman@infracaninophile.co.uk> wrote:
> On 01/19/15 11:07, Baptiste Daroussin wrote:
>
>> January 1 2015 8:09 AM, "Mohit Hasija" <mh00122988@techmahindra.com> wrote:
>>> Dear Pkg port Manager,
>>>
>>> We intend to use client certificates for https authentication during retreival of a package from
>> a
>>> custom repository built at remote location.
>>>
>>> We want to know the following:
>>>
>>> 1.Is there inbuilt support for usage of client certifcates with "pkg" comamnd on freeBSD 10.1
>>> release?
>>>
>>> In case Yes, how can we use the client certifcates with pkg on freeBSD?
>>>
>>> In case No, how can we add support to pkg with minimal effrts for using client certifcates?
>>>
>>> Awaiting an early reply...
>>>
>>> regards
>>>
>>> Mohit Hasija
>>> Mobile No.: +91-9958302266
>>
>> pkg(8) is using libfetch to handle http(s) and I'm not sure libfetch does support such feature.
>>
>> Adding such feature to libfetch would be great but that would also means it will not find its way
>> to FreeBSD 10.1 as FreeBSD 10.1 is already released.
>>
>> FYI: I added pkg@FreeBSD.org to CC as it is the right list to discuss such things.
>
> This should be possible -- see the fetch(3) man page, especially the
> ENVIRONMENT section where it mentions amongst other things:
>
> SSL_CLIENT_CERT_FILE
> PEM encoded client certificate/key which will be used
> in client certificate authentication.
>
> SSL_CLIENT_KEY_FILE
> PEM encoded client key in case key and client cer-
> tificate are stored separately.
>
> Simply set those environment variables to appropriate values and it
> should just work. You may need to add settings to tell fetch(3) to
> trust the server certificates. If you can make the client cert
> authentication work with fetch(1) -- which might be easier to debug --
> then it should work with pkg(8). Do let us know how you get on.
>
> Cheers,
if it works with those environment variable, then you can add them right into your pkg.conf
PKG_ENV: {
SSL_CLIENT_CERT_FILE: ...
SSL_CLIENT_KEY_FILE: ...
}
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20972e667a7be6d86a3689c18e916b1f>