Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.
Date: Sat, 07 Oct 2023 11:58:26 UTC
Koichiro Iwao <meta@freebsd.org> writes: > % LANG=C wget -O - https://www.freebsd.org > --2023-10-07 19:50:58-- https://www.freebsd.org/ > Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ... > Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected. > ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US': > Unable to locally verify the issuer's authority. > To connect to www.freebsd.org insecurely, use `--no-check-certificate'. I'm unable to reproduce this on 13.2. Running wget under ktrace shows that although it first looks for the nonexistent bundle, it correctly falls back to the system trust store. $ ktrace wget -O /dev/null https://www.freebsd.org/ --2023-10-07 13:57:20-- https://www.freebsd.org/ Resolving www.freebsd.org (www.freebsd.org)... 147.28.184.45, 2604:1380:4091:a001::50:3 Connecting to www.freebsd.org (www.freebsd.org)|147.28.184.45|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 15539 (15K) [text/html] Saving to: ‘/dev/null’ /dev/null 100%[===================>] 15.17K --.-KB/s in 0.001s 2023-10-07 13:57:20 (16.3 MB/s) - ‘/dev/null’ saved [15539/15539] $ kdump -tn | grep etc/ssl 606 wget NAMI "/etc/ssl/openssl.cnf" 606 wget NAMI "/etc/ssl/cert.pem" 606 wget NAMI "/etc/ssl/certs/8d33f237.0" 606 wget NAMI "/etc/ssl/certs/4042bcee.0" 606 wget NAMI "/etc/ssl/certs/4042bcee.0" 606 wget NAMI "/etc/ssl/certs/4042bcee.1" 606 wget NAMI "/etc/ssl/certs/4042bcee.1" 606 wget NAMI "/etc/ssl/certs/4042bcee.2" DES -- Dag-Erling Smørgrav - des@FreeBSD.org