Date: Sat, 07 Oct 2023 13:29:42 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> To: Koichiro Iwao <meta@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, ports@freebsd.org Subject: Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink. Message-ID: <86leceekm1.fsf@ltc.des.no> In-Reply-To: <u5u2xbbkwwmnicmloyujjmaslmtnpmnegksa337odkhhwrr2cd@s4ejluqaephk> (Koichiro Iwao's message of "Sat, 7 Oct 2023 19:56:54 %2B0900") References: <202310061549.396Fn8xF027032@gitrepo.freebsd.org> <u5u2xbbkwwmnicmloyujjmaslmtnpmnegksa337odkhhwrr2cd@s4ejluqaephk>
next in thread | previous in thread | raw e-mail | index | archive | help
Koichiro Iwao <meta@freebsd.org> writes: > Some applications cannot verify SSL certificate after this update. I trie= d to > rebuild wget and aria2 with the revision after recent update of ca_root_n= ss but > no joy. > > % LANG=3DC aria2c https://www.freebsd.org/ > [...] The bug is in aria2 which tries to load a trust bundle named "no". This comes from the --without-ca-bundle option which the maintainer requested that I add when he reviewed my patch. I didn't think it mattered so I added it without testing the result, but rather than disabling the use of a trust bundle it just (because of how autoconf works) sets the trust bundle path to "no". I'll commit a fix as soon as I've tested it. > I think all ca_root_nss consumers must be checked. That's not really feasible. I can only check ports which (incorrectly, in most cases) declare a dependency on it. Significantly, wget does not, so if it's broken it's been broken for at least three years. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86leceekm1.fsf>