Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Aug 2022 10:17:02 +0200
From:      =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org>
To:        Tatsuki Makino <tatsuki_makino@hotmail.com>
Cc:        Andrea Venturoli <ml@netfence.it>, novel@FreeBSD.org, freebsd-ports@freebsd.org
Subject:   Re: Again on security/gnutls certificate store
Message-ID:  <20220815101702.7e2a97fa@FreeBSD.org>
In-Reply-To: <PSAPR03MB563911D05F103AABBC0383DEFA699@PSAPR03MB5639.apcprd03.prod.outlook.com>
References:  <02cb8bc2-8d91-8d58-e764-baab240680bf@netfence.it> <20220813115126.2deda35d@FreeBSD.org> <PSAPR03MB563911D05F103AABBC0383DEFA699@PSAPR03MB5639.apcprd03.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 15 Aug 2022 08:18:36 +0900 Tatsuki Makino
<tatsuki_makino@hotmail.com> wrote:
> T=C4=B3l Coosemans wrote on 2022/08/13 18:51:
>> Try this patch for p11-kit.  If it works you can file a bug against
>> p11-kit, because I believe ports are supposed to move away from
>> ca_root_nss.
>>=20
>> --- a/security/p11-kit/Makefile
>> +++ b/security/p11-kit/Makefile
>> @@ -25,7 +25,7 @@ MESON_ARGS=3D   -Dbash_completion=3Denabled \
>>                 -Dlibffi=3Denabled \
>>                 -Dnls=3Dfalse \
>>                 -Dtrust_module=3Denabled \
>> -               -Dtrust_paths=3D${LOCALBASE}/share/certs/ca-root-nss.crt
>> +               -Dtrust_paths=3D/etc/ssl/certs
>> =20
>>  OPTIONS_DEFINE=3D                DOCS MANPAGES TEST
>>  OPTIONS_SUB=3D           yes
>=20
> When ./configure
> --with-trust-paths=3D/usr/local/share/certs/ca-root-nss.crt:/etc/ssl/certs
> is used, TRUST_PATHS is defined as
> "/usr/local/share/certs/ca-root-nss.crt:/etc/ssl/certs" in
> ${WRKSRC}/config.h.
> When meson, TRUST_PATHS is defined in ${WRKSRC}/_build/config.h as
> defined by
> MESON_ARGS=3D-Dtrust_paths=3D${LOCALBASE}/share/certs/ca-root-nss.crt:/et=
c/ssl/certs.
>=20
> Since these would be the same value, why not just specify multiple
> paths in meson, separated by a colon?

It would be duplication because /etc/ssl/certs contains the same NSS
certificates.

> Also, is there something wrong with omitting ca-root-nss.crt filename,
> since the directories seem to be handled properly?

It turns out directories and files are treated differently.  Files are
automatically marked as trusted.  With directories the certificates have
to be in a subdirectory named "anchors" to be marked trusted.  See
https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220815101702.7e2a97fa>