From owner-freebsd-pkg@FreeBSD.ORG Mon Jan 19 12:28:35 2015 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A54FEC for ; Mon, 19 Jan 2015 12:28:35 +0000 (UTC) Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0BF6F347 for ; Mon, 19 Jan 2015 12:28:35 +0000 (UTC) Received: by mail-we0-f170.google.com with SMTP id x3so4721962wes.1 for ; Mon, 19 Jan 2015 04:28:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:mime-version:date:content-type:content-transfer-encoding :message-id:from:subject:to:in-reply-to:references; bh=DVyxRvHERcxGlG0X1VjS4yCbnpdyr47UCyttjkKhbIw=; b=ZC8fbUDSB2kbyVhrCUKw5CBuvAkYqnQ3sgFkgEZo+CSBn6FAGTepKuuELdTAv9wN88 N08A2FVtuI5jZGrlzx+te64BCgN3FtFpcqeNhCVq84GLUIfy46t/mTBg6n0o0b2p56mP 0H41AFr0CCbgPoKoVwBf1+Qx+vJtlix28ulAFpY+m7ZTq5tsrfbwRCi+qx78x5fWIfgt /PD996ll0XvB5fTUQK0dEX2q7tH3I0I/ip+FrusGDUNmJAfv53qrgYUjfw3pVzLZF8jT MhMyttVmVnnkPjh+P+bN5NtiWIdiSfcylggsZJdILt1afWhut2E6s7meQkFlUWshx5zv lgOw== X-Received: by 10.194.48.11 with SMTP id h11mr58745046wjn.23.1421670513461; Mon, 19 Jan 2015 04:28:33 -0800 (PST) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by mx.google.com with ESMTPSA id gz7sm14012258wib.22.2015.01.19.04.28.29 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Jan 2015 04:28:30 -0800 (PST) Sender: Baptiste Daroussin Received: from mail.etoilebsd.net (localhost [IPv6:::1]); by ivaldir.etoilebsd.net (OpenSMTPD) with ESMTP id 15a4610c; for ; Mon, 19 Jan 2015 13:28:29 +0100 (CET) Mime-Version: 1.0 Date: Mon, 19 Jan 2015 12:28:29 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20972e667a7be6d86a3689c18e916b1f@mail.etoilebsd.net> X-Mailer: RainLoop/1.7.2.220 From: "Baptiste Daroussin" Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD To: freebsd-pkg@freebsd.org In-Reply-To: <54BCEA6F.9050108@infracaninophile.co.uk> References: <54BCEA6F.9050108@infracaninophile.co.uk> <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 12:28:35 -0000 January 19 2015 12:29 PM, "Matthew Seaman" wrote: =0A> On 01/19/15 11:07, Baptiste Daroussin wrote:=0A> =0A>> Ja= nuary 1 2015 8:09 AM, "Mohit Hasija" wrote:= =0A>>> Dear Pkg port Manager,=0A>>> =0A>>> We intend to use client certi= ficates for https authentication during retreival of a package from=0A>> = a=0A>>> custom repository built at remote location.=0A>>> =0A>>> We want = to know the following:=0A>>> =0A>>> 1.Is there inbuilt support for usage = of client certifcates with "pkg" comamnd on freeBSD 10.1=0A>>> release?= =0A>>> =0A>>> In case Yes, how can we use the client certifcates with pkg= on freeBSD?=0A>>> =0A>>> In case No, how can we add support to pkg with = minimal effrts for using client certifcates?=0A>>> =0A>>> Awaiting an ear= ly reply...=0A>>> =0A>>> regards=0A>>> =0A>>> Mohit Hasija=0A>>> Mobile N= o.: +91-9958302266=0A>> =0A>> pkg(8) is using libfetch to handle http(s) = and I'm not sure libfetch does support such feature.=0A>> =0A>> Adding su= ch feature to libfetch would be great but that would also means it will n= ot find its way=0A>> to FreeBSD 10.1 as FreeBSD 10.1 is already released.= =0A>> =0A>> FYI: I added pkg@FreeBSD.org to CC as it is the right list to= discuss such things.=0A> =0A> This should be possible -- see the fetch(3= ) man page, especially the=0A> ENVIRONMENT section where it mentions amon= gst other things:=0A> =0A> SSL_CLIENT_CERT_FILE=0A> PEM encoded client ce= rtificate/key which will be used=0A> in client certificate authentication= .=0A> =0A> SSL_CLIENT_KEY_FILE=0A> PEM encoded client key in case key and= client cer-=0A> tificate are stored separately.=0A> =0A> Simply set thos= e environment variables to appropriate values and it=0A> should just work= . You may need to add settings to tell fetch(3) to=0A> trust the server c= ertificates. If you can make the client cert=0A> authentication work with= fetch(1) -- which might be easier to debug --=0A> then it should work wi= th pkg(8). Do let us know how you get on.=0A> =0A> Cheers,=0A=0Aif it wor= ks with those environment variable, then you can add them right into your= pkg.conf=0APKG_ENV: {=0A SSL_CLIENT_CERT_FILE: ...=0A SSL_CLIENT_KEY_F= ILE: ...=0A}