git: 8d939b7d9845 - stable/12 - libfetch: don't rely on ca_root_nss for certificate validation

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Thu, 05 Oct 2023 15:59:39 UTC

The branch stable/12 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=8d939b7d98452c0357e49b090d5a685ea8a0e69a

commit 8d939b7d98452c0357e49b090d5a685ea8a0e69a
Author:     Michael Osipov <michael.osipov@siemens.com>
AuthorDate: 2023-10-03 05:53:20 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2023-10-05 15:58:59 +0000

    libfetch: don't rely on ca_root_nss for certificate validation
    
    Before certctl(8), there was no system trust store, and libfetch
    relied on the CA certificate bundle from the ca_root_nss port to
    verify peers.
    
    We now have a system trust store and a reliable mechanism for
    manipulating it (to explicitly add, remove, or revoke certificates),
    but if ca_root_nss is installed, libfetch will still prefer that to
    the system trust store.
    
    With this change, unless explicitly overridden, libfetch will rely on
    OpenSSL to pick up the default system trust store.
    
    PR:             256902
    MFC after:      3 days
    Reviewed by:    kevans
    Differential Revision:  https://reviews.freebsd.org/D42059
    
    (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59)
---
 lib/libfetch/common.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index 80a63123abdb..8b3b69ff3351 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -786,8 +786,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
 /*
  * Configure peer verification based on environment.
  */
-#define LOCAL_CERT_FILE	"/usr/local/etc/ssl/cert.pem"
-#define BASE_CERT_FILE	"/etc/ssl/cert.pem"
 static int
 fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 {
@@ -797,12 +795,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 
 	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
 		ca_cert_file = getenv("SSL_CA_CERT_FILE");
-		if (ca_cert_file == NULL &&
-		    access(LOCAL_CERT_FILE, R_OK) == 0)
-			ca_cert_file = LOCAL_CERT_FILE;
-		if (ca_cert_file == NULL &&
-		    access(BASE_CERT_FILE, R_OK) == 0)
-			ca_cert_file = BASE_CERT_FILE;
 		ca_cert_path = getenv("SSL_CA_CERT_PATH");
 		if (verbose) {
 			fetch_info("Peer verification enabled");