Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.

From: Dag-Erling_Smørgrav <des_at_FreeBSD.org>
Date: Sat, 07 Oct 2023 11:29:42 UTC
Koichiro Iwao <meta@freebsd.org> writes:
> Some applications cannot verify SSL certificate after this update. I tried to
> rebuild wget and aria2 with the revision after recent update of ca_root_nss but
> no joy.
>
> % LANG=C aria2c https://www.freebsd.org/
> [...]

The bug is in aria2 which tries to load a trust bundle named "no".  This
comes from the --without-ca-bundle option which the maintainer requested
that I add when he reviewed my patch.  I didn't think it mattered so I
added it without testing the result, but rather than disabling the use
of a trust bundle it just (because of how autoconf works) sets the trust
bundle path to "no".  I'll commit a fix as soon as I've tested it.

> I think all ca_root_nss consumers must be checked.

That's not really feasible.  I can only check ports which (incorrectly,
in most cases) declare a dependency on it.  Significantly, wget does
not, so if it's broken it's been broken for at least three years.

DES
-- 
Dag-Erling Smørgrav - des@FreeBSD.org