svn commit: r301500 - in stable/10: lib/libfetch usr.bin/fetch

Michael Gmelin grembo at FreeBSD.org
Mon Jun 6 11:08:06 UTC 2016 

Author: grembo (ports committer)
Date: Mon Jun  6 11:08:05 2016
New Revision: 301500
URL: https://svnweb.freebsd.org/changeset/base/301500

Log:
  MFC r297052:
  
  Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles

Modified:
  stable/10/lib/libfetch/fetch.3
  stable/10/usr.bin/fetch/fetch.1
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/lib/libfetch/fetch.3
==============================================================================
--- stable/10/lib/libfetch/fetch.3	Mon Jun  6 10:21:53 2016	(r301499)
+++ stable/10/lib/libfetch/fetch.3	Mon Jun  6 11:08:05 2016	(r301500)
@@ -1,6 +1,6 @@
 .\"-
 .\" Copyright (c) 1998-2013 Dag-Erling Smørgrav
-.\" Copyright (c) 2013 Michael Gmelin <freebsd at grem.de>
+.\" Copyright (c) 2013-2016 Michael Gmelin <freebsd at grem.de>
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 29, 2015
+.Dd March 18, 2016
 .Dt FETCH 3
 .Os
 .Sh NAME
@@ -396,8 +396,15 @@ is currently unimplemented.
 .Sh HTTPS SCHEME
 Based on HTTP SCHEME.
 By default the peer is verified using the CA bundle located in
-.Pa /etc/ssl/cert.pem .
-The file may contain multiple CA certificates.
+.Pa /usr/local/etc/ssl/cert.pem .
+If this file does not exist,
+.Pa /etc/ssl/cert.pem
+is used instead.
+If neither file exists, and
+.Ev SSL_CA_CERT_PATH
+has not been set,
+OpenSSL's default CA cert and path settings apply.
+The certificate bundle can contain multiple CA certificates.
 A common source of a current CA bundle is
 .Pa \%security/ca_root_nss .
 .Pp
@@ -428,10 +435,11 @@ Client certificate based authentication 
 The environment variable
 .Ev SSL_CLIENT_CERT_FILE
 should be set to point to a file containing key and client certificate
-to be used in PEM format. In case the key is stored in a separate
-file, the environment variable
+to be used in PEM format.
+When a PEM-format key is in a separate file from the client certificate,
+the environment variable
 .Ev SSL_CLIENT_KEY_FILE
-can be set to point to the key in PEM format.
+can be set to point to the key file.
 In case the key uses a password, the user will be prompted on standard
 input (see
 .Xr PEM 3 ) .
@@ -531,7 +539,7 @@ Invalid URL
 .El
 .Pp
 The accompanying error message includes a protocol-specific error code
-and message, e.g.\& "File is not available (404 Not Found)"
+and message, like "File is not available (404 Not Found)"
 .Sh ENVIRONMENT
 .Bl -tag -width ".Ev FETCH_BIND_ADDRESS"
 .It Ev FETCH_BIND_ADDRESS
@@ -648,8 +656,7 @@ for compatibility.
 Allow SSL version 3 when negotiating the connection (not recommended).
 .It Ev SSL_CA_CERT_FILE
 CA certificate bundle containing trusted CA certificates.
-Default value:
-.Pa /etc/ssl/cert.pem .
+Default value: See HTTPS SCHEME above.
 .It Ev SSL_CA_CERT_PATH
 Path containing trusted CA hashes.
 .It Ev SSL_CLIENT_CERT_FILE

Modified: stable/10/usr.bin/fetch/fetch.1
==============================================================================
--- stable/10/usr.bin/fetch/fetch.1	Mon Jun  6 10:21:53 2016	(r301499)
+++ stable/10/usr.bin/fetch/fetch.1	Mon Jun  6 11:08:05 2016	(r301500)
@@ -1,6 +1,6 @@
 .\"-
 .\" Copyright (c) 2000-2014 Dag-Erling Smørgrav
-.\" Copyright (c) 2013 Michael Gmelin <freebsd at grem.de>
+.\" Copyright (c) 2013-2016 Michael Gmelin <freebsd at grem.de>
 .\" All rights reserved.
 .\" Portions Copyright (c) 1999 Massachusetts Institute of Technology; used
 .\" by permission.
@@ -30,7 +30,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 25, 2015
+.Dd March 18, 2016
 .Dt FETCH 1
 .Os
 .Sh NAME
@@ -134,11 +134,17 @@ only.
 [SSL]
 Path to certificate bundle containing trusted CA certificates.
 If not specified,
-.Pa /etc/ssl/cert.pem
+.Pa /usr/local/etc/ssl/cert.pem
 is used.
-The file may contain multiple CA certificates. The port
+If this file does not exist,
+.Pa /etc/ssl/cert.pem
+is used instead.
+If neither file exists and no CA path has been configured,
+OpenSSL's default CA cert and path settings apply.
+The certificate bundle can contain multiple CA certificates.
+The
 .Pa security/ca_root_nss
-is a common source of a current CA bundle.
+port is a common source of a current CA bundle.
 .It Fl -ca-path= Ns Ar dir
 [SSL]
 The directory
@@ -218,10 +224,16 @@ altogether, or a comma- or whitespace-se
 which proxies should not be used.
 .It Fl -no-sslv3
 [SSL]
-Don't allow SSL version 3 when negotiating the connection.
+Do not allow SSL version 3 when negotiating the connection.
+This option is deprecated and is provided for backward compatibility
+only.
+SSLv3 is disabled by default.
+Set
+.Ev SSL_ALLOW_SSL3
+to change this behavior.
 .It Fl -no-tlsv1
 [SSL]
-Don't allow TLS version 1 when negotiating the connection.
+Do not allow TLS version 1 when negotiating the connection.
 .It Fl -no-verify-hostname
 [SSL]
 Do not verify that the hostname matches the subject of the
@@ -351,8 +363,10 @@ for a description of additional environm
 .Ev SSL_CLIENT_CERT_FILE ,
 .Ev SSL_CLIENT_KEY_FILE ,
 .Ev SSL_CRL_FILE ,
-.Ev SSL_NO_SSL3 ,
+.Ev SSL_ALLOW_SSL3 ,
 .Ev SSL_NO_TLS1 ,
+.Ev SSL_NO_TLS1_1 ,
+.Ev SSL_NO_TLS1_2 ,
 .Ev SSL_NO_VERIFY_HOSTNAME
 and
 .Ev SSL_NO_VERIFY_PEER .

More information about the svn-src-all mailing list