Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.
Date: Sat, 07 Oct 2023 11:29:42 UTC
Koichiro Iwao <meta@freebsd.org> writes: > Some applications cannot verify SSL certificate after this update. I tried to > rebuild wget and aria2 with the revision after recent update of ca_root_nss but > no joy. > > % LANG=C aria2c https://www.freebsd.org/ > [...] The bug is in aria2 which tries to load a trust bundle named "no". This comes from the --without-ca-bundle option which the maintainer requested that I add when he reviewed my patch. I didn't think it mattered so I added it without testing the result, but rather than disabling the use of a trust bundle it just (because of how autoconf works) sets the trust bundle path to "no". I'll commit a fix as soon as I've tested it. > I think all ca_root_nss consumers must be checked. That's not really feasible. I can only check ports which (incorrectly, in most cases) declare a dependency on it. Significantly, wget does not, so if it's broken it's been broken for at least three years. DES -- Dag-Erling Smørgrav - des@FreeBSD.org