git: baf69f6c9973 - stable/13 - libfetch: don't rely on ca_root_nss for certificate validation
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 05 Oct 2023 15:56:07 UTC
The branch stable/13 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=baf69f6c997392cde9ae75d3ebc25a8201c7cc99 commit baf69f6c997392cde9ae75d3ebc25a8201c7cc99 Author: Michael Osipov <michael.osipov@siemens.com> AuthorDate: 2023-10-03 05:53:20 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-10-05 15:55:33 +0000 libfetch: don't rely on ca_root_nss for certificate validation Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059 (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59) --- lib/libfetch/common.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index c01710832791..69b507109bc4 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1071,8 +1071,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) /* * Configure peer verification based on environment. */ -#define LOCAL_CERT_FILE _PATH_LOCALBASE "/etc/ssl/cert.pem" -#define BASE_CERT_FILE "/etc/ssl/cert.pem" static int fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) { @@ -1082,12 +1080,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) if (getenv("SSL_NO_VERIFY_PEER") == NULL) { ca_cert_file = getenv("SSL_CA_CERT_FILE"); - if (ca_cert_file == NULL && - access(LOCAL_CERT_FILE, R_OK) == 0) - ca_cert_file = LOCAL_CERT_FILE; - if (ca_cert_file == NULL && - access(BASE_CERT_FILE, R_OK) == 0) - ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { fetch_info("Peer verification enabled");