svn commit: r266291 - head/lib/libfetch
Adam McDougall
mcdouga9 at egr.msu.edu
Tue May 27 14:07:16 UTC 2014
On 05/16/2014 23:39, Dag-Erling Smørgrav wrote:
> Author: des
> Date: Sat May 17 03:39:56 2014
> New Revision: 266291
> URL: http://svnweb.freebsd.org/changeset/base/266291
>
> Log:
> Look for root certificates in /usr/local/etc/ssl before /etc/ssl.
>
> MFH: 1 week
>
> Modified:
> head/lib/libfetch/common.c
>
> Modified: head/lib/libfetch/common.c
> ==============================================================================
> --- head/lib/libfetch/common.c Sat May 17 03:28:43 2014 (r266290)
> +++ head/lib/libfetch/common.c Sat May 17 03:39:56 2014 (r266291)
> @@ -688,6 +688,8 @@ fetch_ssl_setup_transport_layer(SSL_CTX
> /*
> * Configure peer verification based on environment.
> */
> +#define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem"
> +#define BASE_CERT_FILE "/etc/ssl/cert.pem"
> static int
> fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
> {
> @@ -696,8 +698,12 @@ fetch_ssl_setup_peer_verification(SSL_CT
> const char *ca_cert_file, *ca_cert_path, *crl_file;
>
> if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
> - ca_cert_file = getenv("SSL_CA_CERT_FILE") != NULL ?
> - getenv("SSL_CA_CERT_FILE") : "/etc/ssl/cert.pem";
> + ca_cert_file = getenv("SSL_CA_CERT_FILE");
> + if (ca_cert_file == NULL &&
> + access(LOCAL_CERT_FILE, R_OK) == 0)
> + ca_cert_file = LOCAL_CERT_FILE;
> + if (ca_cert_file == NULL)
> + ca_cert_file = BASE_CERT_FILE;
> ca_cert_path = getenv("SSL_CA_CERT_PATH");
> if (verbose) {
> fetch_info("Peer verification enabled");
Was /usr/local/share/certs/ca-root-nss.crt the intended path? If not,
what port is expected to install /usr/local/etc/ssl/cert.pem? I found
security/ca_root_nss/ but it needs the ETCSYMLINK which also makes this
patch unnecessary, so I'm confused. I'd like to make use of it and in a
proper manner. Thanks.
More information about the svn-src-all
mailing list