Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 May 2014 10:00:13 -0400
From:      Adam McDougall <mcdouga9@egr.msu.edu>
To:        des@freebsd.org
Cc:        svn-src-all@freebsd.org
Subject:   Re: svn commit: r266291 - head/lib/libfetch
Message-ID:  <53849A6D.608@egr.msu.edu>
In-Reply-To: <201405170339.s4H3dv2j050943@svn.freebsd.org>
References:  <201405170339.s4H3dv2j050943@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 05/16/2014 23:39, Dag-Erling Smørgrav wrote:
> Author: des
> Date: Sat May 17 03:39:56 2014
> New Revision: 266291
> URL: http://svnweb.freebsd.org/changeset/base/266291
> 
> Log:
>   Look for root certificates in /usr/local/etc/ssl before /etc/ssl.
>   
>   MFH:	1 week
> 
> Modified:
>   head/lib/libfetch/common.c
> 
> Modified: head/lib/libfetch/common.c
> ==============================================================================
> --- head/lib/libfetch/common.c	Sat May 17 03:28:43 2014	(r266290)
> +++ head/lib/libfetch/common.c	Sat May 17 03:39:56 2014	(r266291)
> @@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX 
>  /*
>   * Configure peer verification based on environment.
>   */
> +#define LOCAL_CERT_FILE	"/usr/local/etc/ssl/cert.pem"
> +#define BASE_CERT_FILE	"/etc/ssl/cert.pem"
>  static int
>  fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
>  {
> @@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CT
>  	const char *ca_cert_file, *ca_cert_path, *crl_file;
>  
>  	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
> -		ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
> -		    getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
> +		ca_cert_file = getenv("SSL_CA_CERT_FILE");
> +		if (ca_cert_file == NULL &&
> +		    access(LOCAL_CERT_FILE, R_OK) == 0)
> +			ca_cert_file = LOCAL_CERT_FILE;
> +		if (ca_cert_file == NULL)
> +			ca_cert_file = BASE_CERT_FILE;
>  		ca_cert_path = getenv("SSL_CA_CERT_PATH");
>  		if (verbose) {
>  			fetch_info("Peer verification enabled");

Was /usr/local/share/certs/ca-root-nss.crt the intended path?  If not,
what port is expected to install /usr/local/etc/ssl/cert.pem?  I found
security/ca_root_nss/ but it needs the ETCSYMLINK which also makes this
patch unnecessary, so I'm confused.  I'd like to make use of it and in a
proper manner.  Thanks.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53849A6D.608>