From owner-freebsd-ports@FreeBSD.ORG  Wed Jul 31 12:55:43 2013
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 44C9720E
 for <freebsd-ports@freebsd.org>; Wed, 31 Jul 2013 12:55:43 +0000 (UTC)
 (envelope-from freebsd@grem.de)
Received: from mail.grem.de (outcast.grem.de [213.239.217.27])
 by mx1.freebsd.org (Postfix) with SMTP id A46B920AA
 for <freebsd-ports@freebsd.org>; Wed, 31 Jul 2013 12:55:41 +0000 (UTC)
Received: (qmail 90836 invoked by uid 89); 31 Jul 2013 12:48:54 -0000
Received: from unknown (HELO bsd64.grem.de) (mg@grem.de@194.97.158.66)
 by mail.grem.de with ESMTPA; 31 Jul 2013 12:48:54 -0000
Date: Wed, 31 Jul 2013 14:48:53 +0200
From: Michael Gmelin <freebsd@grem.de>
To: Nikolai Lifanov <lifanov@mail.lifanov.com>
Subject: Re: r253680 in CURRENT breaks GH ports and maybe others
Message-ID: <20130731144853.2a13617b@bsd64.grem.de>
In-Reply-To: <831982af5f96759f17d21aba62b02eb6@mail.lifanov.com>
References: <831982af5f96759f17d21aba62b02eb6@mail.lifanov.com>
X-Mailer: Claws Mail 3.9.1 (GTK+ 2.24.18; amd64-portbld-freebsd9.1)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: freebsd-ports@freebsd.org
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2013 12:55:43 -0000

On Wed, 31 Jul 2013 08:18:51 -0400
Nikolai Lifanov <lifanov@mail.lifanov.com> wrote:

> r253680 enables SSL certificate verification for "fetch" command.
> Ports use "fetch" to download distfiles.
> 
> At least all USE_GITHUB fetches are broken on CURRENT, and others
> might be too.
> 
> What is the correct/intended way to handle master sites that use bad
> SSL certificates?
> Is there an intention to depend on a root certificate bundle after
> this?

Hi Nikolai,

I'd suggest to either:

Install security/ca_root_nss with ETCSYMLINK enabled

or alternatively add "--no-verify-peer" to fetch args for ports (which
would make sense, since ports uses checksums anyway)

As a quick workaround you can do:

export SSL_NO_VERIFY_PEER=1
make install

It probably makes sense to modify FETCH_ARGS
in /usr/ports/Mk/bsd.port.mk to read

FETCH_ARGS?=    -AFpr --no-verify-peer

(see also man fetch(1) and fetch(3)).

Having a cert bundle *would* be nice, but like I said, the ports system
uses checksums, so the additional security probably doesn't make up for
the trouble.

Cheers,
Michael

> 
> => Attempting to fetch 
> https://codeload.github.com/vermaden/beadm/legacy.tar.gz/d7d7cd3?dummy=/beadm-0.8.99.20130730.tar.gz
> Certificate verification failed for /C=US/O=DigiCert 
> Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
> 34380834376:error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
> failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:
> 
> - Nikolai Lifanov
> 
> _______________________________________________
> freebsd-ports@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to
> "freebsd-ports-unsubscribe@freebsd.org"





-- 
Michael Gmelin