Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.
- Reply: Franco Fichtner : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- Reply: Dag-Erling_Smørgrav : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- Reply: Dag-Erling_Smørgrav : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- In reply to: Dag-Erling Smørgrav : "git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 07 Oct 2023 10:56:54 UTC
Hi,
Some applications cannot verify SSL certificate after this update. I tried to
rebuild wget and aria2 with the revision after recent update of ca_root_nss but
no joy. I think all ca_root_nss consumers must be checked.
% LANG=C aria2c https://www.freebsd.org/
10/07 19:45:55 [NOTICE] Downloading 1 item(s)
10/07 19:45:55 [ERROR] Failed to load trusted CA certificates from no. Cause: error:02001002:system library:fopen:No such file or directory
10/07 19:45:55 [ERROR] CUID#7 - Download aborted. URI=https://www.freebsd.org/
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://www.freebsd.org/
-> [SocketCore.cc:1021] errorCode=1 SSL/TLS handshake failure: unable to get local issuer certificate
[#2ed384 0B/0B CN:0 DL:0B]
10/07 19:45:56 [NOTICE] Download GID#2ed384d2f1d3b6be not complete:
Download Results:
gid |stat|avg speed |path/URI
======+====+===========+=======================================================
2ed384|ERR | 0B/s|https://www.freebsd.org/
Status Legend:
(ERR):error occurred.
aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.
% LANG=C wget -O - https://www.freebsd.org
--2023-10-07 19:50:58-- https://www.freebsd.org/
Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ...
Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected.
ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
Unable to locally verify the issuer's authority.
To connect to www.freebsd.org insecurely, use `--no-check-certificate'.
% pkg info ca_root_nss
ca_root_nss-3.93_1
Name : ca_root_nss
Version : 3.93_1
Installed on : Sat Oct 7 19:26:44 2023 JST
Origin : security/ca_root_nss
Architecture : FreeBSD:13:*
Prefix : /usr/local
Categories : security
Licenses : MPL20
Maintainer : ports-secteam@FreeBSD.org
WWW : UNKNOWN
Comment : Root certificate bundle from the Mozilla Project
Annotations :
Flat size : 747KiB
Description :
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.
This port directly tracks the version of NSS in the security/nss port.
% pkg info aria2
aria2-1.36.0_3
Name : aria2
Version : 1.36.0_3
Installed on : Sat Oct 7 19:41:52 2023 JST
Origin : www/aria2
Architecture : FreeBSD:13:amd64
Prefix : /usr/local
Categories : www
Licenses : GPLv2
Maintainer : sunpoet@FreeBSD.org
WWW : https://aria2.github.io/
Comment : Yet another download tool
Options :
CARES : off
DOCS : on
EXPAT : off
LIBUV : off
LIBXML2 : on
NLS : on
SQLITE : on
SSH2 : off
STATIC : on
Shared Libs required:
libxml2.so.2
libssl.so.11
libsqlite3.so.0
libintl.so.8
libcrypto.so.11
Shared Libs provided:
libaria2.so.0
Annotations :
FreeBSD_version: 1302508
cpe : cpe:2.3:a:aria2_project:aria2:1.36.0:::::freebsd13:x64:3
Flat size : 16.5MiB
Description :
aria2 is a lightweight multi-protocol & multi-source command-line download
utility. It supports HTTP/HTTPS, FTP, BitTorrent and Metalink. aria2 can be
manipulated via built-in JSON-RPC and XML-RPC interfaces. Its features include:
- Multi-Connection Download.
aria2 can download a file from multiple sources/protocols and tries to utilize
your maximum download bandwidth. Really speeds up your download experience.
- Lightweight.
aria2 doesn't require much memory and CPU time. The physical memory usage is
typically 4MiB (normal HTTP/FTP downloads) to 9MiB (BitTorrent downloads). CPU
usage in BitTorrent with download speed of 2.8MiB/sec is around 6%.
- Fully Featured BitTorrent Client.
All features you want in BitTorrent client are available: DHT, PEX,
Encryption, Magnet URI, Web-Seeding, Selective Downloads and Local Peer
Discovery.
- Metalink Enabled.
aria2 supports The Metalink Download Description Format (aka Metalink v4),
Metalink version 3 and Metalink/HTTP. Metalink offers the file verification,
HTTP/FTP/BitTorrent integration and the various configurations for language,
location, OS, etc.
- Remote Control.
aria2 supports RPC interface to control the aria2 process. The supported
interfaces are JSON-RPC (over HTTP and WebSocket) and XML-RPC.
% pkg info wget
wget-1.21.4
Name : wget
Version : 1.21.4
Installed on : Sat Oct 7 19:52:03 2023 JST
Origin : ftp/wget
Architecture : FreeBSD:13:amd64
Prefix : /usr/local
Categories : www ftp
Licenses : GPLv3+
Maintainer : vd@FreeBSD.org
WWW : https://www.gnu.org/s/wget/
Comment : Retrieve files from the Net via HTTP(S) and FTP
Options :
DOCS : on
GNUTLS : off
IDN : on
IPV6 : on
MANPAGES : on
METALINK : off
NLS : on
NTLM : off
OPENSSL : on
PCRE2 : off
PSL : on
Shared Libs required:
libunistring.so.5
libssl.so.11
libpsl.so.5
libpcre.so.1
libintl.so.8
libidn2.so.0
libcrypto.so.11
Annotations :
FreeBSD_version: 1302508
cpe : cpe:2.3:a:gnu:wget:1.21.4:::::freebsd13:x64
Flat size : 3.45MiB
Description :
GNU wget is a free software package for retrieving files using HTTP,
HTTPS and FTP, the most widely-used Internet protocols. It is a
non-interactive command-line tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc.
GNU wget has many features to make retrieving large files or mirroring
entire web or FTP sites easy, including:
o Can resume aborted downloads, using REST and RANGE
o Can use filename wild cards and recursively mirror directories
o NLS-based message files for many different languages
o Optionally converts absolute links in downloaded documents to
relative, so that downloaded documents may link to each other locally
o Supports HTTP and SOCKS proxies
o Supports HTTP cookies
o Supports persistent HTTP connections
o Unattended / background operation
o Uses local file timestamps to determine whether documents need to
be re-downloaded when mirroring
o GNU wget is distributed under the GNU General Public License.
On Fri, Oct 06, 2023 at 03:49:08PM +0000, Dag-Erling Smørgrav wrote:
> The branch main has been updated by des:
>
> URL: https://cgit.FreeBSD.org/ports/commit/?id=483e74f44b82f20bddd5608beef74b2a5ab38a88
>
> commit 483e74f44b82f20bddd5608beef74b2a5ab38a88
> Author: Dag-Erling Smørgrav <des@FreeBSD.org>
> AuthorDate: 2023-10-06 15:45:21 +0000
> Commit: Dag-Erling Smørgrav <des@FreeBSD.org>
> CommitDate: 2023-10-06 15:48:57 +0000
>
> security/ca_root_nss: Use certctl instead of a symlink.
>
> MFH: 2023Q4
> Reviewed by: fluffy, sunpoet
> Differential Revision: https://reviews.freebsd.org/D42045
> ---
> security/ca_root_nss/Makefile | 12 +-----------
> security/ca_root_nss/files/pkg-message.in | 14 --------------
> security/ca_root_nss/pkg-plist | 6 ++----
> 3 files changed, 3 insertions(+), 29 deletions(-)
>
> diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile
> index db98535229c1..3abe00856c78 100644
> --- a/security/ca_root_nss/Makefile
> +++ b/security/ca_root_nss/Makefile
> @@ -1,6 +1,6 @@
> PORTNAME= ca_root_nss
> PORTVERSION= ${VERSION_NSS}
> -PORTREVISION= 0
> +PORTREVISION= 1
> CATEGORIES= security
> MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
> DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX}
> @@ -17,14 +17,8 @@ USE_PERL5= build
> NO_ARCH= yes
> WRKSRC_SUBDIR= nss
>
> -OPTIONS_DEFINE= ETCSYMLINK
> -OPTIONS_DEFAULT= ETCSYMLINK
> -
> OPTIONS_SUB= yes
>
> -ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem
> -ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]*
> -
> CERTDIR?= share/certs
> PLIST_SUB+= CERTDIR=${CERTDIR}
>
> @@ -49,8 +43,4 @@ do-install:
> ${MKDIR} ${STAGEDIR}${PREFIX}/openssl
> ${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
>
> -do-install-ETCSYMLINK-on:
> - ${MKDIR} ${STAGEDIR}/etc/ssl
> - ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
> -
> .include <bsd.port.mk>
> diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in
> index d937df3a0922..a28b233e6599 100644
> --- a/security/ca_root_nss/files/pkg-message.in
> +++ b/security/ca_root_nss/files/pkg-message.in
> @@ -7,20 +7,6 @@ audited for trustworthiness or RFC 3647 compliance.
>
> Assessment and verification of trust is the complete responsibility of the
> system administrator.
> -
> -
> -This package installs symlinks to support root certificates discovery by
> -default for software that uses OpenSSL.
> -
> -This enables SSL Certificate Verification by client software without manual
> -intervention.
> -
> -If you prefer to do this manually, replace the following symlinks with
> -either an empty file or your site-local certificate bundle.
> -
> - * /etc/ssl/cert.pem
> - * %%PREFIX%%/etc/ssl/cert.pem
> - * %%PREFIX%%/openssl/cert.pem
> EOM
> }
> ]
> diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist
> index e8111772d308..ef04e1ffd140 100644
> --- a/security/ca_root_nss/pkg-plist
> +++ b/security/ca_root_nss/pkg-plist
> @@ -1,6 +1,4 @@
> %%CERTDIR%%/ca-root-nss.crt
> -@sample etc/ssl/cert.pem.sample
> -@sample openssl/cert.pem.sample
> -%%ETCSYMLINK%%/etc/ssl/cert.pem
> -%%ETCSYMLINK%%@dir /etc/ssl
> +@postexec certctl rehash
> +@postunexec certctl rehash
> @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt
--
meta <meta@FreeBSD.org>