From owner-freebsd-pkg@FreeBSD.ORG  Mon Jan 19 11:29:09 2015
Return-Path: <owner-freebsd-pkg@FreeBSD.ORG>
Delivered-To: freebsd-pkg@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A947E206
 for <freebsd-pkg@freebsd.org>; Mon, 19 Jan 2015 11:29:09 +0000 (UTC)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "ca.infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 339FFCA2
 for <freebsd-pkg@freebsd.org>; Mon, 19 Jan 2015 11:29:09 +0000 (UTC)
Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com
 [85.199.232.226] (may be forged)) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t0JBStxr023623
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
 for <freebsd-pkg@freebsd.org>; Mon, 19 Jan 2015 11:29:02 GMT
 (envelope-from m.seaman@infracaninophile.co.uk)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=infracaninophile.co.uk
DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t0JBStxr023623
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=infracaninophile.co.uk; s=201001-infracaninophile; t=1421666942;
 bh=jaldgiium360xO2SbiqEBLqDdO4z+f3/ni7WUH9HtMA=;
 h=Date:From:To:Subject:References:In-Reply-To;
 z=Date:=20Mon,=2019=20Jan=202015=2011:28:47=20+0000|From:=20Matthew
 =20Seaman=20<m.seaman@infracaninophile.co.uk>|To:=20freebsd-pkg@fr
 eebsd.org|Subject:=20Re:=20Please=20help=20regarding=20usage=20of=
 20client=20certifcates=20with=20pkg=20command=0D=0A=20used=20on=20
 freeBSD|References:=20<afee7e679b57440a9006c1d5ba6892c1@NODEXCHMBX
 001.TechMahindra.com>=20<9ad51442a3c72408e067ef1d1af8ee6e@mail.eto
 ilebsd.net>|In-Reply-To:=20<9ad51442a3c72408e067ef1d1af8ee6e@mail.
 etoilebsd.net>;
 b=bYP3T48lnY7SP0PIxriFuBm0pO+AMWh/KPfXQQZ1Fue3UJDYZCyNXGa4THPVfvG+p
 ASj2TqJzKzjUwqADvA38CcQzZszLaz2eeSDo6t3FWDR6xsLDFkzNZ5GQPLYsn3h4v8
 4WnNlc1hHcx9UQl8HEhWfnof6BJroBhY6EyJXuu8=
X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host
 no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be
 ox-dell39.ox.adestra.com
Message-ID: <54BCEA6F.9050108@infracaninophile.co.uk>
Date: Mon, 19 Jan 2015 11:28:47 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: freebsd-pkg@freebsd.org
Subject: Re: Please help regarding usage of client certifcates with pkg command
 used on freeBSD
References: <afee7e679b57440a9006c1d5ba6892c1@NODEXCHMBX001.TechMahindra.com>
 <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net>
In-Reply-To: <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt"
X-Virus-Scanned: clamav-milter 0.98.5 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,URIBL_BLOCKED autolearn=ham
 autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-pkg@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Binary package management and package tools discussion
 <freebsd-pkg.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pkg/>
List-Post: <mailto:freebsd-pkg@freebsd.org>
List-Help: <mailto:freebsd-pkg-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2015 11:29:09 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 01/19/15 11:07, Baptiste Daroussin wrote:
> January 1 2015 8:09 AM, "Mohit Hasija" <mh00122988@techmahindra.com> wr=
ote:=20
>> Dear Pkg port Manager,
>>
>> We intend to use client certificates for https authentication during r=
etreival of a package from a
>> custom repository built at remote location.
>>
>> We want to know the following:
>>
>> 1.Is there inbuilt support for usage of client certifcates with "pkg" =
comamnd on freeBSD 10.1
>> release?
>>
>> In case Yes, how can we use the client certifcates with pkg on freeBSD=
?
>>
>> In case No, how can we add support to pkg with minimal effrts for usin=
g client certifcates?
>>
>> Awaiting an early reply...
>>
>> regards
>>
>> Mohit Hasija
>> Mobile No.: +91-9958302266
>=20
> pkg(8) is using libfetch to handle http(s) and I'm not sure libfetch do=
es support such feature.
>=20
> Adding such feature to libfetch would be great but that would also mean=
s it will not find its way to FreeBSD 10.1 as FreeBSD 10.1 is already rel=
eased.
>=20
> FYI: I added pkg@FreeBSD.org to CC as it is the right list to discuss s=
uch things.

This should be possible -- see the fetch(3) man page, especially the
ENVIRONMENT section where it mentions amongst other things:

 SSL_CLIENT_CERT_FILE
                 PEM encoded client certificate/key which will be used
                 in client certificate authentication.

 SSL_CLIENT_KEY_FILE
                 PEM encoded client key in case key and client cer-
                 tificate are stored separately.

Simply set those environment variables to appropriate values and it
should just work.  You may need to add settings to tell fetch(3) to
trust the server certificates. If you can make the client cert
authentication work with fetch(1) -- which might be easier to debug --
then it should work with pkg(8).  Do let us know how you get on.

	Cheers,

	Matthew




--fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJUvOp3XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnawYQAID1y1DixyUxk/YMD6ibN9Ku
JqwEZiu4N4WGMlkfKzOhlSWT/kHZjaYn05llcOkkSZJLZ71czBzpnqDlZzj1dwVD
JLXEmwRcr5avTDRZD7UG2N5XXEk3/To+NZ7lSRha/h14o0rffjGYahBc/PIkQaQA
vZW3mQUsEfUBW7CRun1c/l2i1BI41P1zh/VGXTe5isxY1KkF0AjD+hqtdTj0kV21
Bjyslzp6ldU9s9zEv6J2agMGmy4rakZbtpwQCjgAASQTTaAmwM1lUXu8hwTeWHmT
KVoEsMxrAaE4Lchf+6ZhxoEhnWnVLlNG3+Rfuywy/P23ECW0NWFfLLQLkBExtpk4
ZtRf1TQeA4JbA1J/JSSg5X5gMeVuq0VyrE7uEIxP8n+dW3BYWlps3oCB/2Ds7AUY
kJcNSMo9xv30++wFTjVScj4yztd1mAWN3L7QmPMd4sVa1wu3oXo4z96C3a4YGMPi
sb9I5nzBGmXmY0ffR44uunaTLZrk2BET54BeXFQfu9nqsrxHM0TFIpuVV177fgzE
DAnH8JF/S61CF0EwW8gESrkV39MpUQ0eyvmT8GMc5Mnt1gTYlugitCBicQXuGYAH
56wQtR004U5ylzIBS/+Le1AtdrTUV0taoQbrmz7CAkfd/TWKOdznl4809pvIzOHt
ccYpQqYlpf7v3sU0RUhX
=TVEh
-----END PGP SIGNATURE-----

--fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt--