r253680 in CURRENT breaks GH ports and maybe others
Michael Gmelin
freebsd at grem.de
Wed Jul 31 12:55:43 UTC 2013
On Wed, 31 Jul 2013 08:18:51 -0400
Nikolai Lifanov <lifanov at mail.lifanov.com> wrote:
> r253680 enables SSL certificate verification for "fetch" command.
> Ports use "fetch" to download distfiles.
>
> At least all USE_GITHUB fetches are broken on CURRENT, and others
> might be too.
>
> What is the correct/intended way to handle master sites that use bad
> SSL certificates?
> Is there an intention to depend on a root certificate bundle after
> this?
Hi Nikolai,
I'd suggest to either:
Install security/ca_root_nss with ETCSYMLINK enabled
or alternatively add "--no-verify-peer" to fetch args for ports (which
would make sense, since ports uses checksums anyway)
As a quick workaround you can do:
export SSL_NO_VERIFY_PEER=1
make install
It probably makes sense to modify FETCH_ARGS
in /usr/ports/Mk/bsd.port.mk to read
FETCH_ARGS?= -AFpr --no-verify-peer
(see also man fetch(1) and fetch(3)).
Having a cert bundle *would* be nice, but like I said, the ports system
uses checksums, so the additional security probably doesn't make up for
the trouble.
Cheers,
Michael
>
> => Attempting to fetch
> https://codeload.github.com/vermaden/beadm/legacy.tar.gz/d7d7cd3?dummy=/beadm-0.8.99.20130730.tar.gz
> Certificate verification failed for /C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
> 34380834376:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:
>
> - Nikolai Lifanov
>
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to
> "freebsd-ports-unsubscribe at freebsd.org"
--
Michael Gmelin
More information about the freebsd-ports
mailing list