bin/189882: fetch -no-verify-peer no longer disables SSL verification

Kurt Jaeger pi at
Sat May 17 11:00:04 UTC 2014

>Number:         189882
>Category:       bin
>Synopsis:       fetch -no-verify-peer no longer disables SSL verification
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 17 11:00:04 UTC 2014
>Originator:     Kurt Jaeger
>Release:        FreeBSD 10.0-RELEASE-p3 amd64
System: FreeBSD 10.0-RELEASE-p3 FreeBSD 10.0-RELEASE-p3 #0: Tue May 13 18:31:10 UTC 2014 root at amd64

	fetch -no-verify-peer allows to fetch from https even if the
	remote site can not be verified. It no longer works.

f10# fetch -v -no-verify-peer
looking up
connecting to
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /etc/ssl/cert.pem
Certificate verification failed for /C=US/O=DigiCert Inc/ SHA2 High Assurance Server CA
34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:
fetch: Authentication error

The cause seems to be that the system-ssl-lib no longer supports disabling
the verification via

	setenv("SSL_NO_VERIFY_PEER", "", 1);

which it did in the past ? (/usr/src/usr.bin/fetch/fetch.c, line 1034)


	see above


	TODO: Find a fix.


More information about the freebsd-bugs mailing list