Site Navigation

Date:      Sat, 7 Oct 2023 13:06:53 +0200
From:      Franco Fichtner <franco@lastsummer.de>
To:        Koichiro Iwao <meta@freebsd.org>
Cc:        =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, ports@freebsd.org
Subject:   Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.
Message-ID:  <2832E7B7-8077-4B33-B6AB-FEE2CE7DD332@lastsummer.de>
In-Reply-To: <u5u2xbbkwwmnicmloyujjmaslmtnpmnegksa337odkhhwrr2cd@s4ejluqaephk>
References:  <u5u2xbbkwwmnicmloyujjmaslmtnpmnegksa337odkhhwrr2cd@s4ejluqaephk>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Oh dear, if only there was concerns raised about recent changes here that we=
re not answered by involved committers/reviewers.

> On 7. Oct 2023, at 12:57, Koichiro Iwao <meta@freebsd.org> wrote:
>=20
> =EF=BB=BFHi,
>=20
> Some applications cannot verify SSL certificate after this update. I tried=
 to
> rebuild wget and aria2 with the revision after recent update of ca_root_ns=
s but
> no joy. I think all ca_root_nss consumers must be checked.
>=20
> % LANG=3DC aria2c https://www.freebsd.org/
>=20
> 10/07 19:45:55 [NOTICE] Downloading 1 item(s)
>=20
> 10/07 19:45:55 [ERROR] Failed to load trusted CA certificates from no. Cau=
se: error:02001002:system library:fopen:No such file or directory
>=20
> 10/07 19:45:55 [ERROR] CUID#7 - Download aborted. URI=3Dhttps://www.freebs=
d.org/
> Exception: [AbstractCommand.cc:351] errorCode=3D1 URI=3Dhttps://www.freebs=
d.org/
>  -> [SocketCore.cc:1021] errorCode=3D1 SSL/TLS handshake failure: unable t=
o get local issuer certificate
> [#2ed384 0B/0B CN:0 DL:0B]
> 10/07 19:45:56 [NOTICE] Download GID#2ed384d2f1d3b6be not complete:
>=20
> Download Results:
> gid   |stat|avg speed  |path/URI
> =3D=3D=3D=3D=3D=3D+=3D=3D=3D=3D+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D+=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

> 2ed384|ERR |       0B/s|https://www.freebsd.org/
>=20
> Status Legend:
> (ERR):error occurred.
>=20
> aria2 will resume download if the transfer is restarted.
> If there are any errors, then see the log file. See '-l' option in help/ma=
n page for details.
>=20
> % LANG=3DC wget -O - https://www.freebsd.org
> --2023-10-07 19:50:58--  https://www.freebsd.org/
> Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:=
f000:202:2541::50:3, 192.50.199.250, ...
> Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443.=
.. connected.
> ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=3DR3,O=3D=
Let\'s Encrypt,C=3DUS':
>  Unable to locally verify the issuer's authority.
> To connect to www.freebsd.org insecurely, use `--no-check-certificate'.
>=20
> % pkg info ca_root_nss
> ca_root_nss-3.93_1
> Name           : ca_root_nss
> Version        : 3.93_1
> Installed on   : Sat Oct  7 19:26:44 2023 JST
> Origin         : security/ca_root_nss
> Architecture   : FreeBSD:13:*
> Prefix         : /usr/local
> Categories     : security
> Licenses       : MPL20
> Maintainer     : ports-secteam@FreeBSD.org
> WWW            : UNKNOWN
> Comment        : Root certificate bundle from the Mozilla Project
> Annotations    :
> Flat size      : 747KiB
> Description    :
> Root certificates from certificate authorities included in the Mozilla
> NSS library and thus in Firefox and Thunderbird.
>=20
> This port directly tracks the version of NSS in the security/nss port.
>=20
> % pkg info aria2
> aria2-1.36.0_3
> Name           : aria2
> Version        : 1.36.0_3
> Installed on   : Sat Oct  7 19:41:52 2023 JST
> Origin         : www/aria2
> Architecture   : FreeBSD:13:amd64
> Prefix         : /usr/local
> Categories     : www
> Licenses       : GPLv2
> Maintainer     : sunpoet@FreeBSD.org
> WWW            : https://aria2.github.io/
> Comment        : Yet another download tool
> Options        :
>        CARES          : off
>        DOCS           : on
>        EXPAT          : off
>        LIBUV          : off
>        LIBXML2        : on
>        NLS            : on
>        SQLITE         : on
>        SSH2           : off
>        STATIC         : on
> Shared Libs required:
>        libxml2.so.2
>        libssl.so.11
>        libsqlite3.so.0
>        libintl.so.8
>        libcrypto.so.11
> Shared Libs provided:
>        libaria2.so.0
> Annotations    :
>        FreeBSD_version: 1302508
>        cpe            : cpe:2.3:a:aria2_project:aria2:1.36.0:::::freebsd13=
:x64:3
> Flat size      : 16.5MiB
> Description    :
> aria2 is a lightweight multi-protocol & multi-source command-line download=

> utility. It supports HTTP/HTTPS, FTP, BitTorrent and Metalink. aria2 can b=
e
> manipulated via built-in JSON-RPC and XML-RPC interfaces. Its features inc=
lude:
> - Multi-Connection Download.
>  aria2 can download a file from multiple sources/protocols and tries to ut=
ilize
>  your maximum download bandwidth. Really speeds up your download experienc=
e.
> - Lightweight.
>  aria2 doesn't require much memory and CPU time. The physical memory usage=
 is
>  typically 4MiB (normal HTTP/FTP downloads) to 9MiB (BitTorrent downloads)=
. CPU
>  usage in BitTorrent with download speed of 2.8MiB/sec is around 6%.
> - Fully Featured BitTorrent Client.
>  All features you want in BitTorrent client are available: DHT, PEX,
>  Encryption, Magnet URI, Web-Seeding, Selective Downloads and Local Peer
>  Discovery.
> - Metalink Enabled.
>  aria2 supports The Metalink Download Description Format (aka Metalink v4)=
,
>  Metalink version 3 and Metalink/HTTP. Metalink offers the file verificati=
on,
>  HTTP/FTP/BitTorrent integration and the various configurations for langua=
ge,
>  location, OS, etc.
> - Remote Control.
>  aria2 supports RPC interface to control the aria2 process. The supported
>  interfaces are JSON-RPC (over HTTP and WebSocket) and XML-RPC.
>=20
> % pkg info wget
> wget-1.21.4
> Name           : wget
> Version        : 1.21.4
> Installed on   : Sat Oct  7 19:52:03 2023 JST
> Origin         : ftp/wget
> Architecture   : FreeBSD:13:amd64
> Prefix         : /usr/local
> Categories     : www ftp
> Licenses       : GPLv3+
> Maintainer     : vd@FreeBSD.org
> WWW            : https://www.gnu.org/s/wget/
> Comment        : Retrieve files from the Net via HTTP(S) and FTP
> Options        :
>        DOCS           : on
>        GNUTLS         : off
>        IDN            : on
>        IPV6           : on
>        MANPAGES       : on
>        METALINK       : off
>        NLS            : on
>        NTLM           : off
>        OPENSSL        : on
>        PCRE2          : off
>        PSL            : on
> Shared Libs required:
>        libunistring.so.5
>        libssl.so.11
>        libpsl.so.5
>        libpcre.so.1
>        libintl.so.8
>        libidn2.so.0
>        libcrypto.so.11
> Annotations    :
>        FreeBSD_version: 1302508
>        cpe            : cpe:2.3:a:gnu:wget:1.21.4:::::freebsd13:x64
> Flat size      : 3.45MiB
> Description    :
> GNU wget is a free software package for retrieving files using HTTP,
> HTTPS and FTP, the most widely-used Internet protocols. It is a
> non-interactive command-line tool, so it may easily be called from
> scripts, cron jobs, terminals without X-Windows support, etc.
>=20
> GNU wget has many features to make retrieving large files or mirroring
> entire web or FTP sites easy, including:
>=20
> o Can resume aborted downloads, using REST and RANGE
> o Can use filename wild cards and recursively mirror directories
> o NLS-based message files for many different languages
> o Optionally converts absolute links in downloaded documents to
>   relative, so that downloaded documents may link to each other locally
> o Supports HTTP and SOCKS proxies
> o Supports HTTP cookies
> o Supports persistent HTTP connections
> o Unattended / background operation
> o Uses local file timestamps to determine whether documents need to
>   be re-downloaded when mirroring
> o GNU wget is distributed under the GNU General Public License.
>=20
>> On Fri, Oct 06, 2023 at 03:49:08PM +0000, Dag-Erling Sm=C3=B8rgrav wrote:=

>> The branch main has been updated by des:
>>=20
>> URL: https://cgit.FreeBSD.org/ports/commit/?id=3D483e74f44b82f20bddd5608b=
eef74b2a5ab38a88
>>=20
>> commit 483e74f44b82f20bddd5608beef74b2a5ab38a88
>> Author:     Dag-Erling Sm=C3=B8rgrav <des@FreeBSD.org>
>> AuthorDate: 2023-10-06 15:45:21 +0000
>> Commit:     Dag-Erling Sm=C3=B8rgrav <des@FreeBSD.org>
>> CommitDate: 2023-10-06 15:48:57 +0000
>>=20
>>    security/ca_root_nss: Use certctl instead of a symlink.
>>=20
>>    MFH:            2023Q4
>>    Reviewed by:    fluffy, sunpoet
>>    Differential Revision:  https://reviews.freebsd.org/D42045
>> ---
>> security/ca_root_nss/Makefile             | 12 +-----------
>> security/ca_root_nss/files/pkg-message.in | 14 --------------
>> security/ca_root_nss/pkg-plist            |  6 ++----
>> 3 files changed, 3 insertions(+), 29 deletions(-)
>>=20
>> diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefil=
e
>> index db98535229c1..3abe00856c78 100644
>> --- a/security/ca_root_nss/Makefile
>> +++ b/security/ca_root_nss/Makefile
>> @@ -1,6 +1,6 @@
>> PORTNAME=3D    ca_root_nss
>> PORTVERSION=3D    ${VERSION_NSS}
>> -PORTREVISION=3D    0
>> +PORTREVISION=3D    1
>> CATEGORIES=3D    security
>> MASTER_SITES=3D    MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g=
}_RTM/src
>> DISTNAME=3D    nss-${VERSION_NSS}${NSS_SUFFIX}
>> @@ -17,14 +17,8 @@ USE_PERL5=3D    build
>> NO_ARCH=3D    yes
>> WRKSRC_SUBDIR=3D    nss
>>=20
>> -OPTIONS_DEFINE=3D        ETCSYMLINK
>> -OPTIONS_DEFAULT=3D    ETCSYMLINK
>> -
>> OPTIONS_SUB=3D        yes
>>=20
>> -ETCSYMLINK_DESC=3D    Add symlink to /etc/ssl/cert.pem
>> -ETCSYMLINK_CONFLICTS_INSTALL=3D    ca-roots-[0-9]*
>> -
>> CERTDIR?=3D    share/certs
>> PLIST_SUB+=3D    CERTDIR=3D${CERTDIR}
>>=20
>> @@ -49,8 +43,4 @@ do-install:
>>    ${MKDIR} ${STAGEDIR}${PREFIX}/openssl
>>    ${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/c=
ert.pem.sample
>>=20
>> -do-install-ETCSYMLINK-on:
>> -    ${MKDIR} ${STAGEDIR}/etc/ssl
>> -    ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/=
ssl/cert.pem
>> -
>> .include <bsd.port.mk>
>> diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root=
_nss/files/pkg-message.in
>> index d937df3a0922..a28b233e6599 100644
>> --- a/security/ca_root_nss/files/pkg-message.in
>> +++ b/security/ca_root_nss/files/pkg-message.in
>> @@ -7,20 +7,6 @@ audited for trustworthiness or RFC 3647 compliance.
>>=20
>> Assessment and verification of trust is the complete responsibility of th=
e
>> system administrator.
>> -
>> -
>> -This package installs symlinks to support root certificates discovery by=

>> -default for software that uses OpenSSL.
>> -
>> -This enables SSL Certificate Verification by client software without man=
ual
>> -intervention.
>> -
>> -If you prefer to do this manually, replace the following symlinks with
>> -either an empty file or your site-local certificate bundle.
>> -
>> -  * /etc/ssl/cert.pem
>> -  * %%PREFIX%%/etc/ssl/cert.pem
>> -  * %%PREFIX%%/openssl/cert.pem
>> EOM
>> }
>> ]
>> diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-pl=
ist
>> index e8111772d308..ef04e1ffd140 100644
>> --- a/security/ca_root_nss/pkg-plist
>> +++ b/security/ca_root_nss/pkg-plist
>> @@ -1,6 +1,4 @@
>> %%CERTDIR%%/ca-root-nss.crt
>> -@sample etc/ssl/cert.pem.sample
>> -@sample openssl/cert.pem.sample
>> -%%ETCSYMLINK%%/etc/ssl/cert.pem
>> -%%ETCSYMLINK%%@dir /etc/ssl
>> +@postexec certctl rehash
>> +@postunexec certctl rehash
>> @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-=
sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt
>=20
> --=20
> meta <meta@FreeBSD.org>
>=20

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2832E7B7-8077-4B33-B6AB-FEE2CE7DD332>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact