From nobody Sat Oct 07 10:56:54 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S2j104CX4z4whLX; Sat, 7 Oct 2023 10:57:08 +0000 (UTC) (envelope-from meta@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S2j103jJKz3PJX; Sat, 7 Oct 2023 10:57:08 +0000 (UTC) (envelope-from meta@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696676228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=m1RsOAo2E+wd2lHOYVo5RhG8I0AnzIKTAhW7YRvu2lo=; b=mDTuu22ktbG0T5rsuq3rUkGrepOT8LC9lv2cBCsPm9Gmmu8YaCs0Byzgc8ZfavGa+2nJtN d89LsT0l4fwPLCY1YPom+IY13IQwdnfE6wtK2zt1tDYgDmncZ58slOJ7bOs0e44FtBpKu4 fukVGqG2l+hEGuYZmSSWw/mXC7Jr2TTzByvPOX4Q5ATSPZl2qtUrtnU2vwhZk2XIcA6f31 PVRdy+uTEh4l5gwEw+38MXTTzGemxiELVJSF2StwCRwqBwYK00E1PIYluRU9gn5bothL6b hrpzkro5COw9euniUFiPf4yNk+Dzok4JpqlSkEd7EAgTR6eG04/8rhWAfCujAA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696676228; a=rsa-sha256; cv=none; b=Tqcmq3jEIeJd/KUj2q28BhO6M8McSI0DGO30PLDPln1R4zZb8qmMJ/KtFrzI61Po6CInU5 +L4Iml0lptQklRwdfvgnI4jXyK+9kt6L/leUbYGEQDwSoLwOwA8yrGi16wNSxICUaIdvPm ItFuL7szB1dP3viNSodwxRDn+lpuvaasKoBrLdl4QmYLkBKLC3nT4B9YOMfVhPCiphowpj Tdj948Ms6ygrbln6rPHrwDL+3VBgphJlOWPvVDX/Xyhfqko+B7f0PolPp9PAn20sVdEBt7 +X1OrWwDppo3fO0nGxiWAbQkxT4JXxRflfNfBMPNYdLOSCSdA/g+1sK1h7zvPA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696676228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=m1RsOAo2E+wd2lHOYVo5RhG8I0AnzIKTAhW7YRvu2lo=; b=J2BYCSlBapI7RYz+O22GUZVcNGgOED7fUdZN38G2i0TgzqNPF/ZrKruxFHNj1iOXC98tYc k/JFbauejv/mHSDJBrtY4VNUte8LYoLgqizx8Hz1P8ucmkbR+gGwoFNjeN86WVyN7iuYLS EV+DxZucEF9SFWUSm+SYzL6Gwul8R9y4oVfwhdFn4pIf36AUYPov0Bd2kfuGWObOO1I37I o+FIVBqSKVS4uaMS5gQiCjfHlJWvlrScxZtQLfBjFgceI+AF1n54hZFWSXS5+CGiydMw7Z PcfAFqxS2dTp6bTytOt5SdHfMs8x68F0+0oF7XRlZ6Rl6VSa6PlJz+a+rM1Knw== Received: from icepick.vmeta.jp (unknown [IPv6:2403:bd80:c100:401:2c95:d844:de2b:1164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: meta/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4S2j0t3bCBzkhJ; Sat, 7 Oct 2023 10:57:02 +0000 (UTC) (envelope-from meta@freebsd.org) Date: Sat, 7 Oct 2023 19:56:54 +0900 From: Koichiro Iwao To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, ports@freebsd.org Subject: Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink. Message-ID: X-Operating-System: FreeBSD 13.2-STABLE amd64 References: <202310061549.396Fn8xF027032@gitrepo.freebsd.org> List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <202310061549.396Fn8xF027032@gitrepo.freebsd.org> Hi, Some applications cannot verify SSL certificate after this update. I tried to rebuild wget and aria2 with the revision after recent update of ca_root_nss but no joy. I think all ca_root_nss consumers must be checked. % LANG=C aria2c https://www.freebsd.org/ 10/07 19:45:55 [NOTICE] Downloading 1 item(s) 10/07 19:45:55 [ERROR] Failed to load trusted CA certificates from no. Cause: error:02001002:system library:fopen:No such file or directory 10/07 19:45:55 [ERROR] CUID#7 - Download aborted. URI=https://www.freebsd.org/ Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://www.freebsd.org/ -> [SocketCore.cc:1021] errorCode=1 SSL/TLS handshake failure: unable to get local issuer certificate [#2ed384 0B/0B CN:0 DL:0B] 10/07 19:45:56 [NOTICE] Download GID#2ed384d2f1d3b6be not complete: Download Results: gid |stat|avg speed |path/URI ======+====+===========+======================================================= 2ed384|ERR | 0B/s|https://www.freebsd.org/ Status Legend: (ERR):error occurred. aria2 will resume download if the transfer is restarted. If there are any errors, then see the log file. See '-l' option in help/man page for details. % LANG=C wget -O - https://www.freebsd.org --2023-10-07 19:50:58-- https://www.freebsd.org/ Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ... Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected. ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US': Unable to locally verify the issuer's authority. To connect to www.freebsd.org insecurely, use `--no-check-certificate'. % pkg info ca_root_nss ca_root_nss-3.93_1 Name : ca_root_nss Version : 3.93_1 Installed on : Sat Oct 7 19:26:44 2023 JST Origin : security/ca_root_nss Architecture : FreeBSD:13:* Prefix : /usr/local Categories : security Licenses : MPL20 Maintainer : ports-secteam@FreeBSD.org WWW : UNKNOWN Comment : Root certificate bundle from the Mozilla Project Annotations : Flat size : 747KiB Description : Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. This port directly tracks the version of NSS in the security/nss port. % pkg info aria2 aria2-1.36.0_3 Name : aria2 Version : 1.36.0_3 Installed on : Sat Oct 7 19:41:52 2023 JST Origin : www/aria2 Architecture : FreeBSD:13:amd64 Prefix : /usr/local Categories : www Licenses : GPLv2 Maintainer : sunpoet@FreeBSD.org WWW : https://aria2.github.io/ Comment : Yet another download tool Options : CARES : off DOCS : on EXPAT : off LIBUV : off LIBXML2 : on NLS : on SQLITE : on SSH2 : off STATIC : on Shared Libs required: libxml2.so.2 libssl.so.11 libsqlite3.so.0 libintl.so.8 libcrypto.so.11 Shared Libs provided: libaria2.so.0 Annotations : FreeBSD_version: 1302508 cpe : cpe:2.3:a:aria2_project:aria2:1.36.0:::::freebsd13:x64:3 Flat size : 16.5MiB Description : aria2 is a lightweight multi-protocol & multi-source command-line download utility. It supports HTTP/HTTPS, FTP, BitTorrent and Metalink. aria2 can be manipulated via built-in JSON-RPC and XML-RPC interfaces. Its features include: - Multi-Connection Download. aria2 can download a file from multiple sources/protocols and tries to utilize your maximum download bandwidth. Really speeds up your download experience. - Lightweight. aria2 doesn't require much memory and CPU time. The physical memory usage is typically 4MiB (normal HTTP/FTP downloads) to 9MiB (BitTorrent downloads). CPU usage in BitTorrent with download speed of 2.8MiB/sec is around 6%. - Fully Featured BitTorrent Client. All features you want in BitTorrent client are available: DHT, PEX, Encryption, Magnet URI, Web-Seeding, Selective Downloads and Local Peer Discovery. - Metalink Enabled. aria2 supports The Metalink Download Description Format (aka Metalink v4), Metalink version 3 and Metalink/HTTP. Metalink offers the file verification, HTTP/FTP/BitTorrent integration and the various configurations for language, location, OS, etc. - Remote Control. aria2 supports RPC interface to control the aria2 process. The supported interfaces are JSON-RPC (over HTTP and WebSocket) and XML-RPC. % pkg info wget wget-1.21.4 Name : wget Version : 1.21.4 Installed on : Sat Oct 7 19:52:03 2023 JST Origin : ftp/wget Architecture : FreeBSD:13:amd64 Prefix : /usr/local Categories : www ftp Licenses : GPLv3+ Maintainer : vd@FreeBSD.org WWW : https://www.gnu.org/s/wget/ Comment : Retrieve files from the Net via HTTP(S) and FTP Options : DOCS : on GNUTLS : off IDN : on IPV6 : on MANPAGES : on METALINK : off NLS : on NTLM : off OPENSSL : on PCRE2 : off PSL : on Shared Libs required: libunistring.so.5 libssl.so.11 libpsl.so.5 libpcre.so.1 libintl.so.8 libidn2.so.0 libcrypto.so.11 Annotations : FreeBSD_version: 1302508 cpe : cpe:2.3:a:gnu:wget:1.21.4:::::freebsd13:x64 Flat size : 3.45MiB Description : GNU wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. It is a non-interactive command-line tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc. GNU wget has many features to make retrieving large files or mirroring entire web or FTP sites easy, including: o Can resume aborted downloads, using REST and RANGE o Can use filename wild cards and recursively mirror directories o NLS-based message files for many different languages o Optionally converts absolute links in downloaded documents to relative, so that downloaded documents may link to each other locally o Supports HTTP and SOCKS proxies o Supports HTTP cookies o Supports persistent HTTP connections o Unattended / background operation o Uses local file timestamps to determine whether documents need to be re-downloaded when mirroring o GNU wget is distributed under the GNU General Public License. On Fri, Oct 06, 2023 at 03:49:08PM +0000, Dag-Erling Smørgrav wrote: > The branch main has been updated by des: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=483e74f44b82f20bddd5608beef74b2a5ab38a88 > > commit 483e74f44b82f20bddd5608beef74b2a5ab38a88 > Author: Dag-Erling Smørgrav > AuthorDate: 2023-10-06 15:45:21 +0000 > Commit: Dag-Erling Smørgrav > CommitDate: 2023-10-06 15:48:57 +0000 > > security/ca_root_nss: Use certctl instead of a symlink. > > MFH: 2023Q4 > Reviewed by: fluffy, sunpoet > Differential Revision: https://reviews.freebsd.org/D42045 > --- > security/ca_root_nss/Makefile | 12 +----------- > security/ca_root_nss/files/pkg-message.in | 14 -------------- > security/ca_root_nss/pkg-plist | 6 ++---- > 3 files changed, 3 insertions(+), 29 deletions(-) > > diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile > index db98535229c1..3abe00856c78 100644 > --- a/security/ca_root_nss/Makefile > +++ b/security/ca_root_nss/Makefile > @@ -1,6 +1,6 @@ > PORTNAME= ca_root_nss > PORTVERSION= ${VERSION_NSS} > -PORTREVISION= 0 > +PORTREVISION= 1 > CATEGORIES= security > MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src > DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} > @@ -17,14 +17,8 @@ USE_PERL5= build > NO_ARCH= yes > WRKSRC_SUBDIR= nss > > -OPTIONS_DEFINE= ETCSYMLINK > -OPTIONS_DEFAULT= ETCSYMLINK > - > OPTIONS_SUB= yes > > -ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem > -ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]* > - > CERTDIR?= share/certs > PLIST_SUB+= CERTDIR=${CERTDIR} > > @@ -49,8 +43,4 @@ do-install: > ${MKDIR} ${STAGEDIR}${PREFIX}/openssl > ${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample > > -do-install-ETCSYMLINK-on: > - ${MKDIR} ${STAGEDIR}/etc/ssl > - ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem > - > .include > diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in > index d937df3a0922..a28b233e6599 100644 > --- a/security/ca_root_nss/files/pkg-message.in > +++ b/security/ca_root_nss/files/pkg-message.in > @@ -7,20 +7,6 @@ audited for trustworthiness or RFC 3647 compliance. > > Assessment and verification of trust is the complete responsibility of the > system administrator. > - > - > -This package installs symlinks to support root certificates discovery by > -default for software that uses OpenSSL. > - > -This enables SSL Certificate Verification by client software without manual > -intervention. > - > -If you prefer to do this manually, replace the following symlinks with > -either an empty file or your site-local certificate bundle. > - > - * /etc/ssl/cert.pem > - * %%PREFIX%%/etc/ssl/cert.pem > - * %%PREFIX%%/openssl/cert.pem > EOM > } > ] > diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist > index e8111772d308..ef04e1ffd140 100644 > --- a/security/ca_root_nss/pkg-plist > +++ b/security/ca_root_nss/pkg-plist > @@ -1,6 +1,4 @@ > %%CERTDIR%%/ca-root-nss.crt > -@sample etc/ssl/cert.pem.sample > -@sample openssl/cert.pem.sample > -%%ETCSYMLINK%%/etc/ssl/cert.pem > -%%ETCSYMLINK%%@dir /etc/ssl > +@postexec certctl rehash > +@postunexec certctl rehash > @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt -- meta