[Bug 275144] security/lastpass-cli: Error: SSL peer certificate or SSH remote key was not OK

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 16 Nov 2023 22:55:07 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275144

            Bug ID: 275144
           Summary: security/lastpass-cli: Error: SSL peer certificate or
                    SSH remote key was not OK
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: sunpoet@FreeBSD.org
          Reporter: john@saltant.com
          Assignee: sunpoet@FreeBSD.org
             Flags: maintainer-feedback?(sunpoet@FreeBSD.org)

Synopsis
========

The login and logout commands of the LastPass CLI fail with the following error
on 13.2-RELEASE-p3 amd64.

    Error: SSL peer certificate or SSH remote key was not OK


Observed behavior
=================

    % lpass login username@example.com
    Error: SSL peer certificate or SSH remote key was not OK
    %


Expected behavior
=================

    % lpass login username@example.com
    # password prompt appears


Workaround
==========

Option 1: Install security/ca_root_nss

Option 2: Set SSL_CERT_DIR=/etc/ssl/certs in the environment


Analysis
========

By default, the lpass command tries to load a trust store first from
/usr/local/openssl/cert.pem and then from /usr/local/openssl/certs. When
security/ca_root_nss is not installed, no trust store is present at these
locations by default.

When attempting to load from a CA path by hash symlink, the following hashes
are attempted.

    4bd443a4.0
    1d3472b9.0
    5c47d203.0

The second one is present in the base trust store and refers to

    /usr/share/certs/trusted/GlobalSign_ECC_Root_CA_-_R5.pem

-- 
You are receiving this mail because:
You are the assignee for the bug.