From nobody Thu Oct 05 15:59:39 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S1bpz5BZVz4vsn9; Thu, 5 Oct 2023 15:59:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S1bpz4b1fz3PRs; Thu, 5 Oct 2023 15:59:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696521579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CQ+ERgHqxOrACocBbiLi/xYDdcOoWxSzqK8ABcbpfOk=; b=Y94d146QePvqYp+ySHr9Cp9cXbhMX334tYPk3yQwKzJfm9EYXYoOvUiZHH8NUVEIjEQvoh qUDFhUs8hFu1asOwrPIXr8yIfZhf1LRUhPiTzJKl7KkOQcNf6VAiIU6TEa0+5MG+QAKNK+ 0rUy6OvfiB5vZuKgnryH/F4kC9iALUyrf5vuEdU6FDDBhBXvFzHR8GiRhX4A4Tm9HZomcQ cIqQGAD7iqVJ0osozEBPUoP6cfmynZikgPxVqgOWY+Awvg6aocCxy1QaMHyAn7MKi1Z5Y0 KJYDCjqu7CvU1v1dKjGk2uOfo8HfzkR2S65Zh6VYVk/H5YBHTjVNELO0zr7bZA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696521579; a=rsa-sha256; cv=none; b=Uyxk9WXJie9YpqSz+b3rVrnKiD8QIwRJs4SnYJt0JlvCkqHnE4Ij9Rl/LgP5jvmaPfnAZQ WQUxQ/HQ+FsYnXHjCGwXE+ovqtJ7+0hWvMsYhOu4YbXCdURstzbDUzbNmYEiXezuoX3Mb+ XBT1Con7lJGzPEwEIL1/QcAPMZKFYmtZ6Z2iN3EysyC8Ui9V6eaEM4jhA2bfIhQXxSr9WK 4rNrv5tigKs6wC+kTvtP54fw14UHmrwH5CuFiWwjNZvC6zAvWMYvdmSzZIG474QJ3KXskJ sRwxgAO+MSZbw5Bh1mDMlQYMAUDz9MH7YBSYUGW+Cu8hlX6OewDBY0KV/rXNhQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696521579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CQ+ERgHqxOrACocBbiLi/xYDdcOoWxSzqK8ABcbpfOk=; b=SivxHnDhNqAyAf8AeoIGEDCw3OjNxT4mwZcJSR2i/HYhaSrddgX9IOjP25f6UJo5crvXlc y+xRy/yqbomVF4HjqEHzXVwZSOJBBq1flpu5lKHytzoB3ISkSShQbYxu4x5aU+ACefrOf8 ysV2ZwaE+mgZm1tzD2bzFTX9EslXF4uJ2TffieqfQmQjL+HEZoep8DBHqg50W5iaVUqDPm 7rv1HM54HEsdV5Qr3sZssEaHcu7fnnPgwxRPx+QWi48vLWCLQ6iJhdJGmT/30aPyRxFL26 ztYzOVvgyf6SpbD3Cq6aLeUXFHVzywqIHhGqz6rdd2AlS9BwUvecWr/bWlAMnA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S1bpz3fP7z1QpV; Thu, 5 Oct 2023 15:59:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 395Fxdak047999; Thu, 5 Oct 2023 15:59:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 395FxdVW047996; Thu, 5 Oct 2023 15:59:39 GMT (envelope-from git) Date: Thu, 5 Oct 2023 15:59:39 GMT Message-Id: <202310051559.395FxdVW047996@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: 8d939b7d9845 - stable/12 - libfetch: don't rely on ca_root_nss for certificate validation List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 8d939b7d98452c0357e49b090d5a685ea8a0e69a Auto-Submitted: auto-generated The branch stable/12 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=8d939b7d98452c0357e49b090d5a685ea8a0e69a commit 8d939b7d98452c0357e49b090d5a685ea8a0e69a Author: Michael Osipov AuthorDate: 2023-10-03 05:53:20 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2023-10-05 15:58:59 +0000 libfetch: don't rely on ca_root_nss for certificate validation Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059 (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59) --- lib/libfetch/common.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index 80a63123abdb..8b3b69ff3351 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -786,8 +786,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) /* * Configure peer verification based on environment. */ -#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem" -#define BASE_CERT_FILE "/etc/ssl/cert.pem" static int fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) { @@ -797,12 +795,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) if (getenv("SSL_NO_VERIFY_PEER") == NULL) { ca_cert_file = getenv("SSL_CA_CERT_FILE"); - if (ca_cert_file == NULL && - access(LOCAL_CERT_FILE, R_OK) == 0) - ca_cert_file = LOCAL_CERT_FILE; - if (ca_cert_file == NULL && - access(BASE_CERT_FILE, R_OK) == 0) - ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { fetch_info("Peer verification enabled");