Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 May 2014 23:50:34 -0400
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r266291 - head/lib/libfetch
Message-ID:  <511c8ee74b80cf5d7f6af531bfda3b18@shatow.net>
In-Reply-To: <201405170339.s4H3dv2j050943@svn.freebsd.org>
References:  <201405170339.s4H3dv2j050943@svn.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks! This is really needed for 9.3 for ports. So I
hope re@ doesn't mind if it comes in after the freeze.

Thanks,
Bryan

On 2014-05-16 23:39, Dag-Erling Smørgrav wrote:
> Author: des
> Date: Sat May 17 03:39:56 2014
> New Revision: 266291
> URL: http://svnweb.freebsd.org/changeset/base/266291
> 
> Log:
>   Look for root certificates in /usr/local/etc/ssl before /etc/ssl.
> 
>   MFH:	1 week
> 
> Modified:
>   head/lib/libfetch/common.c
> 
> Modified: head/lib/libfetch/common.c
> ==============================================================================
> --- head/lib/libfetch/common.c	Sat May 17 03:28:43 2014	(r266290)
> +++ head/lib/libfetch/common.c	Sat May 17 03:39:56 2014	(r266291)
> @@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX
>  /*
>   * Configure peer verification based on environment.
>   */
> +#define LOCAL_CERT_FILE	"/usr/local/etc/ssl/cert.pem"
> +#define BASE_CERT_FILE	"/etc/ssl/cert.pem"
>  static int
>  fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
>  {
> @@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CT
>  	const char *ca_cert_file, *ca_cert_path, *crl_file;
> 
>  	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
> -		ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
> -		    getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
> +		ca_cert_file = getenv("SSL_CA_CERT_FILE");
> +		if (ca_cert_file == NULL &&
> +		    access(LOCAL_CERT_FILE, R_OK) == 0)
> +			ca_cert_file = LOCAL_CERT_FILE;
> +		if (ca_cert_file == NULL)
> +			ca_cert_file = BASE_CERT_FILE;
>  		ca_cert_path = getenv("SSL_CA_CERT_PATH");
>  		if (verbose) {
>  			fetch_info("Peer verification enabled");

-- 
Regards,
Bryan Drewery



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?511c8ee74b80cf5d7f6af531bfda3b18>