From owner-svn-src-head@FreeBSD.ORG Sat May 17 03:50:38 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 138821EB for ; Sat, 17 May 2014 03:50:38 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D66BC286A for ; Sat, 17 May 2014 03:50:37 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4H3obR0097669 for ; Sat, 17 May 2014 03:50:37 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4H3obkd097666 for svn-src-head@freebsd.org; Sat, 17 May 2014 03:50:37 GMT (envelope-from bdrewery) Received: (qmail 51595 invoked from network); 16 May 2014 22:50:35 -0500 Received: from unknown (HELO roundcube.xk42.net) (10.10.5.5) by sweb.xzibition.com with SMTP; 16 May 2014 22:50:35 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 16 May 2014 23:50:34 -0400 From: Bryan Drewery To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r266291 - head/lib/libfetch Organization: FreeBSD In-Reply-To: <201405170339.s4H3dv2j050943@svn.freebsd.org> References: <201405170339.s4H3dv2j050943@svn.freebsd.org> Message-ID: <511c8ee74b80cf5d7f6af531bfda3b18@shatow.net> X-Sender: bdrewery@FreeBSD.org User-Agent: Roundcube Webmail/0.9.5 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 03:50:38 -0000 Thanks! This is really needed for 9.3 for ports. So I hope re@ doesn't mind if it comes in after the freeze. Thanks, Bryan On 2014-05-16 23:39, Dag-Erling Smørgrav wrote: > Author: des > Date: Sat May 17 03:39:56 2014 > New Revision: 266291 > URL: http://svnweb.freebsd.org/changeset/base/266291 > > Log: > Look for root certificates in /usr/local/etc/ssl before /etc/ssl. > > MFH: 1 week > > Modified: > head/lib/libfetch/common.c > > Modified: head/lib/libfetch/common.c > ============================================================================== > --- head/lib/libfetch/common.c Sat May 17 03:28:43 2014 (r266290) > +++ head/lib/libfetch/common.c Sat May 17 03:39:56 2014 (r266291) > @@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX > /* > * Configure peer verification based on environment. > */ > +#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem" > +#define BASE_CERT_FILE "/etc/ssl/cert.pem" > static int > fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) > { > @@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CT > const char *ca_cert_file, *ca_cert_path, *crl_file; > > if (getenv("SSL_NO_VERIFY_PEER") == NULL) { > - ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ? > - getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem"; > + ca_cert_file = getenv("SSL_CA_CERT_FILE"); > + if (ca_cert_file == NULL && > + access(LOCAL_CERT_FILE, R_OK) == 0) > + ca_cert_file = LOCAL_CERT_FILE; > + if (ca_cert_file == NULL) > + ca_cert_file = BASE_CERT_FILE; > ca_cert_path = getenv("SSL_CA_CERT_PATH"); > if (verbose) { > fetch_info("Peer verification enabled"); -- Regards, Bryan Drewery