From owner-freebsd-ports@FreeBSD.ORG Wed Jul 31 13:05:19 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 23EEF497; Wed, 31 Jul 2013 13:05:19 +0000 (UTC) (envelope-from lifanov@mail.lifanov.com) Received: from mail.lifanov.com (mail.lifanov.com [206.125.175.12]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D04FF2113; Wed, 31 Jul 2013 13:05:18 +0000 (UTC) Received: from [10.1.3.5] (cnet520-windstream.mcclatchyinteractive.com [166.108.16.2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.lifanov.com (Postfix) with ESMTPSA id 6A6C91A3DA3; Wed, 31 Jul 2013 13:05:18 +0000 (UTC) Message-ID: <51F90B8D.4030808@mail.lifanov.com> Date: Wed, 31 Jul 2013 09:05:17 -0400 From: Nikolai Lifanov User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130628 Thunderbird/17.0.7 MIME-Version: 1.0 To: Michael Gmelin Subject: Re: r253680 in CURRENT breaks GH ports and maybe others References: <831982af5f96759f17d21aba62b02eb6@mail.lifanov.com> <20130731144853.2a13617b@bsd64.grem.de> In-Reply-To: <20130731144853.2a13617b@bsd64.grem.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Baptiste Daroussin , freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 13:05:19 -0000 On 07/31/13 08:48, Michael Gmelin wrote: > On Wed, 31 Jul 2013 08:18:51 -0400 > Nikolai Lifanov wrote: > >> r253680 enables SSL certificate verification for "fetch" command. >> Ports use "fetch" to download distfiles. >> >> At least all USE_GITHUB fetches are broken on CURRENT, and others >> might be too. >> >> What is the correct/intended way to handle master sites that use bad >> SSL certificates? >> Is there an intention to depend on a root certificate bundle after >> this? > > Hi Nikolai, > > I'd suggest to either: > > Install security/ca_root_nss with ETCSYMLINK enabled > > or alternatively add "--no-verify-peer" to fetch args for ports (which > would make sense, since ports uses checksums anyway) > > As a quick workaround you can do: > > export SSL_NO_VERIFY_PEER=1 > make install > > It probably makes sense to modify FETCH_ARGS > in /usr/ports/Mk/bsd.port.mk to read > > FETCH_ARGS?= -AFpr --no-verify-peer > > (see also man fetch(1) and fetch(3)). > > Having a cert bundle *would* be nice, but like I said, the ports system > uses checksums, so the additional security probably doesn't make up for > the trouble. > > Cheers, > Michael > >> >> => Attempting to fetch >> https://codeload.github.com/vermaden/beadm/legacy.tar.gz/d7d7cd3?dummy=/beadm-0.8.99.20130730.tar.gz >> Certificate verification failed for /C=US/O=DigiCert >> Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 >> 34380834376:error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168: >> >> - Nikolai Lifanov >> >> _______________________________________________ >> freebsd-ports@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to >> "freebsd-ports-unsubscribe@freebsd.org" > I fully agree. We already checksum the *distfiles*. It shouldn't be important what the source is. Are there any objections to adding --no-verify-peer to FETCH_ARGS across the board? - Nikolai Lifanov