From nobody Thu Oct 5 07:26:30 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S1NQt36kQz4wfh0; Thu, 5 Oct 2023 07:26:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S1NQt2fS2z4VLZ; Thu, 5 Oct 2023 07:26:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696490790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fJde0wwwbH20byxRVjMUm84JAY/zI5uPKX6SQc4XvZ0=; b=Y8WDSlmTvggEbO02AtQ/XpvIBzwZq7vgNoo+Tpq7Gm1LPojS97+eOMuZmns5XZxn6P0j28 6tJsBOwhKtF8iyNP7T4bVonxVVcuLzOoBW2C3CrwwtZlLacSQgtXbfBD66QClOSORlVIYz VsUHasCpGSj3t1oF6WSNy2uPYvg0Hsil+I614nAWpzeJZWDoxaQCCkCGmJfkr+5g3MbDGK k9eLQqSJsjndxELIhePR1X37KZ+hrCcHKpsNdxPvVv1bdW7G1ej5zP+5kOo539RBmICt4r R3TRxxaQ6ZWAJ+JspEJ70iT8YPEGvwPH2i+KtyM+zW+2Bsg3TO9JRU9iQ/DOZw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696490790; a=rsa-sha256; cv=none; b=ssds+9NfcU2WGj9Lvp2Rp0Yn5Q5qoxcqvzqYaPiI5uUlMbZLIw3SujjCCJdaUvQMHtiqHu 992Jl1xaRWS6k4SHzWLdZKxn1NnPGNulMozTtFTbKa0uIJFNLa4S9zT5AogUXo3W4B274z aLntUwaIR+v6CKGLzVJR0BsVmjoZtfV+O2lyl+YUxvsJu6KXQC613RTy7OomuNHCkoP+KL 3+/FMTLCL/U9OStfI48RvXRgG+HJoayZ97RC9YjtZxVTWzM4Sek9GsmsGJYmBI3G/4jWFe WP/Oklv1AR9ibCc5y5odToS+BDU0rA2b31h0QJPBpsyz0ZzJCHEZOgH6UlSD0w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696490790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fJde0wwwbH20byxRVjMUm84JAY/zI5uPKX6SQc4XvZ0=; b=F7YZb50zW8c0e8MefyB4SprAgiRFF1IePEYVk4hLYLiyOB5ByyYKDfp/9onSudZ0P8XEH2 CNxtqDYP3xFHba2FR2Xr3TWncQbrTj2LX5D8gOzQPLTZsmJKKsgPavk/1tYmdzbio6qDIB 9+LR6yjTAEZs9orHL2ifNcBEipQtb8KqYUzXrya/0BMz7mjobDRHXOCvvTaD6k/ZN/Pn9t cYDi/UlIhsfJqEY2d4xAAp47jrPsSuVITeck0bc2jYOnbzS+QEkxdeQj4DgaW/tRbpUjLi 0xSuqSNE5NPerWO3KxRpdg1ka/JlkzLsprJNOnSvaGkyPzB5+nu8JqILqRfE4g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S1NQt1Vxsz1BJT; Thu, 5 Oct 2023 07:26:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3957QUJD093183; Thu, 5 Oct 2023 07:26:30 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3957QUN3093180; Thu, 5 Oct 2023 07:26:30 GMT (envelope-from git) Date: Thu, 5 Oct 2023 07:26:30 GMT Message-Id: <202310050726.3957QUN3093180@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: fb058a9a40a5 - stable/14 - libfetch: don't rely on ca_root_nss for certificate validation List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: fb058a9a40a5adc82721ed822fb4fba213446a7b Auto-Submitted: auto-generated The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=fb058a9a40a5adc82721ed822fb4fba213446a7b commit fb058a9a40a5adc82721ed822fb4fba213446a7b Author: Michael Osipov AuthorDate: 2023-10-03 05:53:20 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2023-10-05 00:03:16 +0000 libfetch: don't rely on ca_root_nss for certificate validation Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059 (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59) --- lib/libfetch/common.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index fd2091791620..dfa742577585 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1055,8 +1055,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) /* * Configure peer verification based on environment. */ -#define LOCAL_CERT_FILE _PATH_LOCALBASE "/etc/ssl/cert.pem" -#define BASE_CERT_FILE "/etc/ssl/cert.pem" static int fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) { @@ -1066,12 +1064,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) if (getenv("SSL_NO_VERIFY_PEER") == NULL) { ca_cert_file = getenv("SSL_CA_CERT_FILE"); - if (ca_cert_file == NULL && - access(LOCAL_CERT_FILE, R_OK) == 0) - ca_cert_file = LOCAL_CERT_FILE; - if (ca_cert_file == NULL && - access(BASE_CERT_FILE, R_OK) == 0) - ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { fetch_info("Peer verification enabled");