git: dc7d88c71d2b - stable/13 - libfetch, fetch: Stop recommending the use of ca_root_nss.

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Wed, 13 Dec 2023 20:06:26 UTC
The branch stable/13 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=dc7d88c71d2be3363c94045fe439e21b8a838687

commit dc7d88c71d2be3363c94045fe439e21b8a838687
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2023-10-08 04:35:15 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2023-12-13 16:21:29 +0000

    libfetch, fetch: Stop recommending the use of ca_root_nss.
    
    MFC after:      3 days
    Reviewed by:    kevans, emaste
    Differential Revision:  https://reviews.freebsd.org/D42119
    
    (cherry picked from commit 2821a7498f65d357c68166e1978b491abef1ca4a)
---
 lib/libfetch/fetch.3  | 15 +--------------
 usr.bin/fetch/fetch.1 | 14 ++------------
 2 files changed, 3 insertions(+), 26 deletions(-)

diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3
index 34047d253991..663209f8fc79 100644
--- a/lib/libfetch/fetch.3
+++ b/lib/libfetch/fetch.3
@@ -24,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd November 24, 2020
+.Dd October 7, 2023
 .Dt FETCH 3
 .Os
 .Sh NAME
@@ -409,19 +409,6 @@ library,
 is currently unimplemented.
 .Sh HTTPS SCHEME
 Based on HTTP SCHEME.
-By default the peer is verified using the CA bundle located in
-.Pa /usr/local/etc/ssl/cert.pem .
-If this file does not exist,
-.Pa /etc/ssl/cert.pem
-is used instead.
-If neither file exists, and
-.Ev SSL_CA_CERT_PATH
-has not been set,
-OpenSSL's default CA cert and path settings apply.
-The certificate bundle can contain multiple CA certificates.
-A common source of a current CA bundle is
-.Pa \%security/ca_root_nss .
-.Pp
 The CA bundle used for peer verification can be changed by setting the
 environment variables
 .Ev SSL_CA_CERT_FILE
diff --git a/usr.bin/fetch/fetch.1 b/usr.bin/fetch/fetch.1
index 2737373c98bf..7238226998fc 100644
--- a/usr.bin/fetch/fetch.1
+++ b/usr.bin/fetch/fetch.1
@@ -28,7 +28,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd October 29, 2020
+.Dd October 7, 2023
 .Dt FETCH 1
 .Os
 .Sh NAME
@@ -131,18 +131,8 @@ only.
 .It Fl -ca-cert= Ns Ar file
 [SSL]
 Path to certificate bundle containing trusted CA certificates.
-If not specified,
-.Pa /usr/local/etc/ssl/cert.pem
-is used.
-If this file does not exist,
-.Pa /etc/ssl/cert.pem
-is used instead.
-If neither file exists and no CA path has been configured,
+Otherwise,
 OpenSSL's default CA cert and path settings apply.
-The certificate bundle can contain multiple CA certificates.
-The
-.Pa security/ca_root_nss
-port is a common source of a current CA bundle.
 .It Fl -ca-path= Ns Ar dir
 [SSL]
 The directory