Please help regarding usage of client certifcates with pkg command used on freeBSD
Baptiste Daroussin
bapt at freebsd.org
Mon Jan 19 12:28:35 UTC 2015
January 19 2015 12:29 PM, "Matthew Seaman" <m.seaman at infracaninophile.co.uk> wrote:
> On 01/19/15 11:07, Baptiste Daroussin wrote:
>
>> January 1 2015 8:09 AM, "Mohit Hasija" <mh00122988 at techmahindra.com> wrote:
>>> Dear Pkg port Manager,
>>>
>>> We intend to use client certificates for https authentication during retreival of a package from
>> a
>>> custom repository built at remote location.
>>>
>>> We want to know the following:
>>>
>>> 1.Is there inbuilt support for usage of client certifcates with "pkg" comamnd on freeBSD 10.1
>>> release?
>>>
>>> In case Yes, how can we use the client certifcates with pkg on freeBSD?
>>>
>>> In case No, how can we add support to pkg with minimal effrts for using client certifcates?
>>>
>>> Awaiting an early reply...
>>>
>>> regards
>>>
>>> Mohit Hasija
>>> Mobile No.: +91-9958302266
>>
>> pkg(8) is using libfetch to handle http(s) and I'm not sure libfetch does support such feature.
>>
>> Adding such feature to libfetch would be great but that would also means it will not find its way
>> to FreeBSD 10.1 as FreeBSD 10.1 is already released.
>>
>> FYI: I added pkg at FreeBSD.org to CC as it is the right list to discuss such things.
>
> This should be possible -- see the fetch(3) man page, especially the
> ENVIRONMENT section where it mentions amongst other things:
>
> SSL_CLIENT_CERT_FILE
> PEM encoded client certificate/key which will be used
> in client certificate authentication.
>
> SSL_CLIENT_KEY_FILE
> PEM encoded client key in case key and client cer-
> tificate are stored separately.
>
> Simply set those environment variables to appropriate values and it
> should just work. You may need to add settings to tell fetch(3) to
> trust the server certificates. If you can make the client cert
> authentication work with fetch(1) -- which might be easier to debug --
> then it should work with pkg(8). Do let us know how you get on.
>
> Cheers,
if it works with those environment variable, then you can add them right into your pkg.conf
PKG_ENV: {
SSL_CLIENT_CERT_FILE: ...
SSL_CLIENT_KEY_FILE: ...
}
More information about the freebsd-pkg
mailing list