From nobody Sun Oct 08 19:04:38 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S3Wn56CVYz4wv7b;
	Sun,  8 Oct 2023 19:04:41 +0000 (UTC)
	(envelope-from tijl@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S3Wn55knHz4HSM;
	Sun,  8 Oct 2023 19:04:41 +0000 (UTC)
	(envelope-from tijl@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1696791881;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=TFwagdiHhVPX4GwRu86WNXZzRuK2qohdh2yUTCqK1eA=;
	b=r8LPcAVLG0j1C4ezUWbOL7xMtEZ4j4gu9THtlSyMPs6ykh7pQZpvpfAhys2TCJ4K92atut
	RxESvh4f1N36NEIoBCs3AHGflt6yDHHXKOso2WL8SK8KkHC6gX3kgAMQXcaaS8d7hliMuw
	dmAFFYlWQZBiowWk93b41aXsNXkcsScs37+XzHBVkBc8c4wBdmFXu+HSYoxR/+HyjTOmIg
	PzAo1ir0lAlcsgZqgOzgcVRjKayI4SZ5njVJNHwbU46DhQgk36yTg2wVyD1DcAc6Xl6aid
	BVKf7+MFbV/2TaqrDVuhAtl5fVjnqh8U1w6NaF1nzZ8XymbFFPC7SGID2p0ZRw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696791881; a=rsa-sha256; cv=none;
	b=R7wGO18O3DvaMBqRlc17QVW8tw9xOdGKPW/OqmqfpU+kFCQF8NqWKu1/DnUxwmEX9iITcY
	hkCxDpgpGkB/ooFYIJDQ7dagQRJrfuK6xBjr6JmZ/XHMBSZOn9L/NrDFgvsw4KzA89jTsW
	E6VgUtpqkNa3by8QO0wK0Mkelgd1GPN+EW7mtKrKfZO6Eacr6LWFi+Qn8c8orLXMFBdkr6
	5IylgzA0ZXeTtONsp20ge3EHGV7+W4zIHmq6y+Jo1eS0sw5OFgwKuxNXCSyebCNubWYbno
	2P/VqMSgjoysULldtXrzlroevE+Qoq4kUzvOXejaPFjYzMImsJYaFRtS8u2c5Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1696791881;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=TFwagdiHhVPX4GwRu86WNXZzRuK2qohdh2yUTCqK1eA=;
	b=J+Mus9D0Jzid3cACkxacR8lS8T3iBFU7gxkpYFWfNpZFcw3MBrdCLax/0IUXtjgs0uRSey
	tzZCVhQRP0UxRo9mNZxw59SBmcTwVQKT4I4icsxk/cVfWlNgDX1u+8vYx7tPFFoUIABnNW
	FfwINQUqMWfYoyroD1UeoQXQSY4km5xQEf7ne6289S1GItxetCSjkecjZBsDuKdFoMeC2g
	m1kUavr712m/fAwsjoujuraxp1oju0K3xIDQLFs6O4Nx5e/lrB+WdAKJfZV/S+dXM860vy
	aVpzGYxGt7/WkRv+ewqquxDMpA5d42pu/k7yn4J33nQgbls6W429HF1rcxMnVg==
Received: from hal.tijl.coosemans.org (unknown [IPv6:2a02:a03f:894b:4700:5b0:6141:7d1a:2857])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: tijl)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4S3Wn46BKCz1LQH;
	Sun,  8 Oct 2023 19:04:40 +0000 (UTC)
	(envelope-from tijl@FreeBSD.org)
Date: Sun, 8 Oct 2023 21:04:38 +0200
From: =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org>
To: Koichiro Iwao <meta@freebsd.org>
Cc: Dag-Erling =?UTF-8?B?U23DuHJncmF2?= <des@freebsd.org>,
 ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org,
 dev-commits-ports-main@freebsd.org, ports@freebsd.org
Subject: Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl
 instead of a symlink.
Message-ID: <20231008210438.1d6f0953@hal.tijl.coosemans.org>
In-Reply-To: <e3g73uqrsnhlvufy6fqvcnhpmk2end6oaawwqjgfyn3avpxchq@kkxcogbrjalt>
References: <202310061549.396Fn8xF027032@gitrepo.freebsd.org>
	<u5u2xbbkwwmnicmloyujjmaslmtnpmnegksa337odkhhwrr2cd@s4ejluqaephk>
	<868r8eeja5.fsf@ltc.des.no>
	<j5hsadyeheayonhr5zudy2xurjtujxt3o6ilyyv4z7eej4zxnl@ptiztdqopea2>
	<e3g73uqrsnhlvufy6fqvcnhpmk2end6oaawwqjgfyn3avpxchq@kkxcogbrjalt>
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sun, 8 Oct 2023 04:56:43 +0900 Koichiro Iwao <meta@freebsd.org> wrote:
> On Sat, Oct 07, 2023 at 09:03:19PM +0900, Koichiro Iwao wrote:
>> On Sat, Oct 07, 2023 at 01:58:26PM +0200, Dag-Erling Sm=C3=B8rgrav wrote=
: =20
>>> Koichiro Iwao <meta@freebsd.org> writes: =20
>>>> % LANG=3DC wget -O - https://www.freebsd.org
>>>> --2023-10-07 19:50:58--  https://www.freebsd.org/
>>>> Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2=
405:f000:202:2541::50:3, 192.50.199.250, ...
>>>> Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:=
443... connected.
>>>> ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=3DR3=
,O=3DLet\'s Encrypt,C=3DUS':
>>>>   Unable to locally verify the issuer's authority.
>>>> To connect to www.freebsd.org insecurely, use `--no-check-certificate'=
. =20
>>>=20
>>> I'm unable to reproduce this on 13.2.  Running wget under ktrace shows
>>> that although it first looks for the nonexistent bundle, it correctly
>>> falls back to the system trust store. =20
>=20
> Regarding wget, it was an issue with security/openssl.
>=20
> I'm using openssl from ports:
> > DEFAULT_VERSIONS+=3D      ssl=3Dopenssl =20
>=20
> As far as I tried debugging with ktrace, security/openssl doesn't
> fallback to /etc/ssl/certs directory.
>=20
> % LANG=3DC ktrace wget -O /dev/null https://www.freebsd.org/
> --2023-10-08 04:32:45--  https://www.freebsd.org/
> Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405=
:f000:202:2541::50:3, 210.231.212.93, ...
> Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443=
... connected.
> ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=3DR3,O=
=3DLet\'s Encrypt,C=3DUS':
>   Unable to locally verify the issuer's authority.
> To connect to www.freebsd.org insecurely, use `--no-check-certificate'.
>=20
> % kdump -tn |grep -e "/etc" -e "certs"
>  28088 wget     NAMI  "/etc/libmap.conf"
>  28088 wget     NAMI  "/usr/local/etc/libmap.d"
>  28088 wget     NAMI  "/usr/local/etc/libmap.d/mesa.conf"
>  28088 wget     NAMI  "/etc/malloc.conf"
>  28088 wget     NAMI  "/usr/local/etc/wgetrc"
>  28088 wget     NAMI  "/usr/local/etc/wgetrc"
>  28088 wget     NAMI  "/etc/localtime"
>  28088 wget     NAMI  "/etc/nsswitch.conf"
>  28088 wget     NAMI  "/etc/nsswitch.conf"
>  28088 wget     NAMI  "/etc/hosts"
>  28088 wget     NAMI  "/etc/resolv.conf"
>  28088 wget     NAMI  "/usr/local/openssl/certs/8d33f237.0"
>  28088 wget     NAMI  "/usr/local/openssl/certs/4042bcee.0"
>  28088 wget     NAMI  "/usr/local/openssl/certs/2e5ac55d.0"
>  28088 wget     NAMI  "/usr/local/openssl/certs/2e5ac55d.0"
>  28088 wget     NAMI  "/usr/local/openssl/certs/bfabe37b.0"
>=20
> % ls -l /usr/local/openssl/certs
> (empty)
>=20
> # rmdir /usr/local/openssl/certs
> # ln -s /etc/ssl/certs /usr/local/openssl
>=20
> So I replaced /usr/local/openssl/certs directory with a symlink to
> /etc/ssl/certs directory. The workaround worked perfectly.
>=20
> The security/openssl port might need some adjustment. After ca_root_nss
> quit providing /usr/local/openssl/cert.pem symlink, /etc/ssl/certs should
> be added to the search path. Otherwise, openssl port cannot find root
> certificates installed by ca_root_nss.

There's a patch for security/openssl in
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269473