From nobody Thu Oct 5 15:56:07 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S1bkv3ZhMz4vs55; Thu, 5 Oct 2023 15:56:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S1bkv30sFz3NNQ; Thu, 5 Oct 2023 15:56:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696521367; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gnX6xRX0nmY8teL90GWAD7lYKkJc90iVkUZbIBBr1xI=; b=DM16WoNhPlw71uIcYCVdgHquWEfgiyN5EoTPkbJ1122tDhvqqvmfQLxxNh+C9wNtufTrFj Nt2EI/lL38OEgdI8vcXC1cGwQyJdH21cMsAGi3rG3aIRs/3pzR4aW/1MQdqqTAyj3ksLKx Jeu1sQ17UpKfBLseMcjtE+7SHNIjGLMfps4hZOPTyr5XCiy8t0Ntb6iiz2x3Uu2N7QqSfi yMmXZ/ykScZN19qP4hN8RiKCwBNKmF7Hp5RW914mg8B7t8rj8nxI13571F0KZcPsbUNU4L d6Fxy9k9RDj/KILudqtYmq44IQJO315NEt6lb36yieXfvkI8rEX/+3B8zQ16SQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696521367; a=rsa-sha256; cv=none; b=Ml5ajtHZt4/l3qlAu9mRPmuXZbqPS54P6+XmxHkTBqsLzwglk2MZA+OQRlDq+/GXwK5iHE YKVfUucFvERzyaEwYIr6j5DAH7RD+Mh5wsx3pLmqooUTTbRijzL04aOq9kh/t4A3UZcOIf xipj4TJ2AfcXjcuHWvZ1XYRF8s/fhTrem/4Pwj65UxHGwAcjXJWgutJlv6r0Zoa5OChebz KitxID43PojiKkn9Lo6AVZe0heoEVETtRM37qeqrPLanWDaj2ERNd99qyQHTBULHRksowW XS0ndr/dVEFEp1UMGG5bvSGBPPrB0/8f27wHvXgWIxfUf4rqoJ7Sob0B5gZKiA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696521367; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gnX6xRX0nmY8teL90GWAD7lYKkJc90iVkUZbIBBr1xI=; b=jfLJk1jqMhaI0/whr6dscPNxa5wmCZf9o61ww7kidxi40hYv11jOY6zSQnFA5vrjn2hkkW xBWbivXmoauv3gjZpW2uTJknjanWNpnuC+ah7kxjPqzRhb5b/PKIsWLO/WRdVsEf5PZ68H F2YxZhvzPjggH2t1+D1fRUImeVrWD7MhmuoqwxbwCykIB8wFhHLSouPX5npRI0uxG/Fp/q ZezjewZghsCrtoX/IauH//Z23Q6fgfm6Mn+ec8mhIlk4gULjDokWXfoj0G7hgOpLE5JnKK mI6ZLmSLDkCIud7nZp16sV31MvSO0afnD7pgrllwM3trve8ujCADCgVurIHV5w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S1bkv1rYpz1QrQ; Thu, 5 Oct 2023 15:56:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 395Fu7Iq047355; Thu, 5 Oct 2023 15:56:07 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 395Fu7eF047352; Thu, 5 Oct 2023 15:56:07 GMT (envelope-from git) Date: Thu, 5 Oct 2023 15:56:07 GMT Message-Id: <202310051556.395Fu7eF047352@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: baf69f6c9973 - stable/13 - libfetch: don't rely on ca_root_nss for certificate validation List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: baf69f6c997392cde9ae75d3ebc25a8201c7cc99 Auto-Submitted: auto-generated The branch stable/13 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=baf69f6c997392cde9ae75d3ebc25a8201c7cc99 commit baf69f6c997392cde9ae75d3ebc25a8201c7cc99 Author: Michael Osipov AuthorDate: 2023-10-03 05:53:20 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2023-10-05 15:55:33 +0000 libfetch: don't rely on ca_root_nss for certificate validation Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059 (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59) --- lib/libfetch/common.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index c01710832791..69b507109bc4 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1071,8 +1071,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) /* * Configure peer verification based on environment. */ -#define LOCAL_CERT_FILE _PATH_LOCALBASE "/etc/ssl/cert.pem" -#define BASE_CERT_FILE "/etc/ssl/cert.pem" static int fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) { @@ -1082,12 +1080,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) if (getenv("SSL_NO_VERIFY_PEER") == NULL) { ca_cert_file = getenv("SSL_CA_CERT_FILE"); - if (ca_cert_file == NULL && - access(LOCAL_CERT_FILE, R_OK) == 0) - ca_cert_file = LOCAL_CERT_FILE; - if (ca_cert_file == NULL && - access(BASE_CERT_FILE, R_OK) == 0) - ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { fetch_info("Peer verification enabled");