Date: Sat, 13 Aug 2022 11:51:26 +0200 From: =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org> To: Andrea Venturoli <ml@netfence.it> Cc: novel@FreeBSD.org, freebsd-ports@freebsd.org Subject: Re: Again on security/gnutls certificate store Message-ID: <20220813115126.2deda35d@FreeBSD.org> In-Reply-To: <02cb8bc2-8d91-8d58-e764-baab240680bf@netfence.it> References: <02cb8bc2-8d91-8d58-e764-baab240680bf@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 13 Aug 2022 10:35:21 +0200 Andrea Venturoli <ml@netfence.it>
wrote:
> Hello.
>
> I'm building my ports with Poudriere using quarterly branch. Also I need
> a private CA (whose cert is is correctly hashed in /etc/ssl/certs).
>
> Some time ago, since gnutls didn't pick up my cert, I reported #260723
> (security/gnutls uses only security/ca_root_nss as certificate store)
> This bug was referring to the case where P11KIT option was off.
>
> Recently, however, building net/glib-networking will fail unless P11KIT
> option is ON.
> In this latter case gnutls delegates certificate management to p11-kit
> (forgive me if this is not 100% correct, but I think this is enough in
> this context), which, again, doesn't pick up my cert.
>
> So I'm asking what to do:
> _ reopen the old bug (the problem is still the same, but with a
> different configuration)?
> _ open a new bug, still against gnutls?
> _ open a bug against p11-kit?
>
> bye & Thanks
> av.
Try this patch for p11-kit. If it works you can file a bug against
p11-kit, because I believe ports are supposed to move away from
ca_root_nss.
--- a/security/p11-kit/Makefile
+++ b/security/p11-kit/Makefile
@@ -25,7 +25,7 @@ MESON_ARGS= -Dbash_completion=enabled \
-Dlibffi=enabled \
-Dnls=false \
-Dtrust_module=enabled \
- -Dtrust_paths=${LOCALBASE}/share/certs/ca-root-nss.crt
+ -Dtrust_paths=/etc/ssl/certs
OPTIONS_DEFINE= DOCS MANPAGES TEST
OPTIONS_SUB= yes
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220813115126.2deda35d>