From nobody Sat Oct 07 19:56:43 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S2wzp0v19z4wBwb;
	Sat,  7 Oct 2023 19:56:54 +0000 (UTC)
	(envelope-from meta@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S2wzn6MJfz4MRk;
	Sat,  7 Oct 2023 19:56:53 +0000 (UTC)
	(envelope-from meta@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1696708613;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=MFeFJ82Uxh3nwYOOvO+cXM6fR6Crrn84goRjYmZZUbk=;
	b=Xs9npNMQf8XjYd7wOJbPxHErCsfgdCfRySIHTyMkeAhgKwxZdpnTcUMVF9pC72MMJ9rejP
	gNLhrlAV+xQNI0o1+//7MjOJqRCIsdXpHaAh98dVwmX5c+D/9Ll8j9nqx15Y7LF11LP8uX
	vn//ehOQOicT8Em2OvlvV1DzdI7Rss5wL6w5BiT7rsbBCfPSTx4AwSMNXm2lX70SIigBDG
	QQW/DV0+KHlJM0QlYZGp6bK0+jEqANoWdbguj0a51RpnNEZIsP0YxlD8n9/VaY/j08y4sK
	6rEa5uy4duibrSAaf2YLwmIvSWiMNfQuwCPxRdgih05TrAgHa+3xXW18YXwvuw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696708613; a=rsa-sha256; cv=none;
	b=elkhBrwtUmrAJviBY9zge28NxdCokrbynOqki2PoGd7a3f6TxJ50N4BPLbfxvvQe4KoaAl
	8PQgCt0+bUl478uN+W+/Z2p+LisbaseQvvs/UL3LE01Kg/n/pTkGbTdOZCosN5Nmas7L36
	EVntu9YJITh4qt3s9Br1WZMtWISmi3RW/6tujnmfTPuHwN3XDwa+qhNZ14cysfjhStj0gm
	LLjKzwZ54d0ZxPiTqFtJg6KWNPbxWvVbUNWtsWCjuvuVQxKblBoQgf0soKKjj/oU3N0Z9m
	Y1KUhZmowC4xHQRrceWWhEN1Vpd1DAPeVq2O67hq+7hx5KAZ515JhplheQeA3Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1696708613;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=MFeFJ82Uxh3nwYOOvO+cXM6fR6Crrn84goRjYmZZUbk=;
	b=kXASM4Ui3YVLBm+zkVZgJvqx80hBvcBgji+62RstXqIq5IvPJOMmyKIbq9F8i/6IOJXvf0
	RhZfOSuhjReGG5rYScJh1DgVSwBiZN0YU1OMmM4KB1wy/UeU0ZGsn/+4Px0HLyG4tuhxBT
	vbeiso1SnLtUkWK49XysisddYo8uZygW2v+lIeAESgwTrsoU0i44At6ghZxlJ2WnkD5F4a
	9fijc7ShxHZUwEQvHVhAEWHElIFGTwBoJYbThAW6zKjLoatSLJabqRwFvpJSlG5YZY/iEX
	7JqdRtW3AnONxs07Wz5fG6ieDy2E1XSux+AtjswL5Cx8xciOpXLl1Y0s5BxVSA==
Received: from icepick.vmeta.jp (unknown [IPv6:2403:bd80:c100:401:759f:ff1a:447f:6d89])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: meta/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4S2wzk70JNztB7;
	Sat,  7 Oct 2023 19:56:50 +0000 (UTC)
	(envelope-from meta@freebsd.org)
Date: Sun, 8 Oct 2023 04:56:43 +0900
From: Koichiro Iwao <meta@freebsd.org>
To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@freebsd.org>
Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, 
	dev-commits-ports-main@freebsd.org, ports@freebsd.org
Subject: Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl
 instead of a symlink.
Message-ID: <e3g73uqrsnhlvufy6fqvcnhpmk2end6oaawwqjgfyn3avpxchq@kkxcogbrjalt>
X-Operating-System: FreeBSD 13.2-STABLE amd64
References: <202310061549.396Fn8xF027032@gitrepo.freebsd.org>
 <u5u2xbbkwwmnicmloyujjmaslmtnpmnegksa337odkhhwrr2cd@s4ejluqaephk>
 <868r8eeja5.fsf@ltc.des.no>
 <j5hsadyeheayonhr5zudy2xurjtujxt3o6ilyyv4z7eej4zxnl@ptiztdqopea2>
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <j5hsadyeheayonhr5zudy2xurjtujxt3o6ilyyv4z7eej4zxnl@ptiztdqopea2>

On Sat, Oct 07, 2023 at 09:03:19PM +0900, Koichiro Iwao wrote:
> On Sat, Oct 07, 2023 at 01:58:26PM +0200, Dag-Erling Smørgrav wrote:
> > Koichiro Iwao <meta@freebsd.org> writes:
> > > % LANG=C wget -O - https://www.freebsd.org
> > > --2023-10-07 19:50:58--  https://www.freebsd.org/
> > > Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ...
> > > Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected.
> > > ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
> > >   Unable to locally verify the issuer's authority.
> > > To connect to www.freebsd.org insecurely, use `--no-check-certificate'.
> > 
> > I'm unable to reproduce this on 13.2.  Running wget under ktrace shows
> > that although it first looks for the nonexistent bundle, it correctly
> > falls back to the system trust store.

Regarding wget, it was an issue with security/openssl.

I'm using openssl from ports:
> DEFAULT_VERSIONS+=      ssl=openssl

As far as I tried debugging with ktrace, security/openssl doesn't
fallback to /etc/ssl/certs directory.

% LANG=C ktrace wget -O /dev/null https://www.freebsd.org/
--2023-10-08 04:32:45--  https://www.freebsd.org/
Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 210.231.212.93, ...
Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected.
ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Unable to locally verify the issuer's authority.
To connect to www.freebsd.org insecurely, use `--no-check-certificate'.

% kdump -tn |grep -e "/etc" -e "certs"
 28088 wget     NAMI  "/etc/libmap.conf"
 28088 wget     NAMI  "/usr/local/etc/libmap.d"
 28088 wget     NAMI  "/usr/local/etc/libmap.d/mesa.conf"
 28088 wget     NAMI  "/etc/malloc.conf"
 28088 wget     NAMI  "/usr/local/etc/wgetrc"
 28088 wget     NAMI  "/usr/local/etc/wgetrc"
 28088 wget     NAMI  "/etc/localtime"
 28088 wget     NAMI  "/etc/nsswitch.conf"
 28088 wget     NAMI  "/etc/nsswitch.conf"
 28088 wget     NAMI  "/etc/hosts"
 28088 wget     NAMI  "/etc/resolv.conf"
 28088 wget     NAMI  "/usr/local/openssl/certs/8d33f237.0"
 28088 wget     NAMI  "/usr/local/openssl/certs/4042bcee.0"
 28088 wget     NAMI  "/usr/local/openssl/certs/2e5ac55d.0"
 28088 wget     NAMI  "/usr/local/openssl/certs/2e5ac55d.0"
 28088 wget     NAMI  "/usr/local/openssl/certs/bfabe37b.0"

% ls -l /usr/local/openssl/certs
(empty)

# rmdir /usr/local/openssl/certs
# ln -s /etc/ssl/certs /usr/local/openssl

So I replaced /usr/local/openssl/certs directory with a symlink to
/etc/ssl/certs directory. The workaround worked perfectly.

The security/openssl port might need some adjustment. After ca_root_nss
quit providing /usr/local/openssl/cert.pem symlink, /etc/ssl/certs should
be added to the search path. Otherwise, openssl port cannot find root
certificates installed by ca_root_nss.

-- 
meta <meta@FreeBSD.org>