From nobody Tue Oct 03 05:54:40 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S06Ts1Nr7z4vnq2; Tue, 3 Oct 2023 05:54:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S06Ts0kMsz3DPf; Tue, 3 Oct 2023 05:54:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696312481; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3O1zRrWIui8ZwFTyZ1J0uq2xP4RiU5wLnhO2lbCq2pQ=; b=eIVN2k4ue72VMz50/tgmTFEm3jUY3VWEoxdfKjQWcT99uCFe+ph0XYR7aLCQiwa8WwtVGb tgFEszFT88EavntQdL8vb3h3UY16ExfjesKfOONgHLJ09Tcu57/sN75YF5S/IbBpmk6RRQ nc9OmLopTKlE1a0Z7avQ/e46xRzVo8nU0xqsdOKnG1CTOLjpVfnQ0Iqfbgbf0WfYIQydcP MvBtNZY9+3hD8DNPnZhWwM0Yuki6EszJkM//Uyx59cK55bWqHEy1uhGWNnZuMV/4lBGpXt LAOkJPv8lidedOv0Nl+JaDBLTt0wTOGPgCh9JzhXQYiYyCvB2zd0TCk+jrgAXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696312481; a=rsa-sha256; cv=none; b=tbgYjr7pmksbI420QxKcDt2xXSFRy4+6AusT8wd8Q3MzDpeuqDknvE8LQIelbpoFqwOdZC 15IHMnP5ZLgOW58vF9KvDshCcjDa52GbvIcm0pWZq8nmrHRHXYjgq3Qialkhpic0roCZIR NQ+EGWSzR8J2nODILrwteOaTPw8LPw2Rzh0wSREN9TL6BbVBnw45zVfve9eNjHkZYzSluc hdjfOjJIKIBiFqn2gCKqI+tF998LitYlYkMWd5j0RUsWGtCoJmI3pDvU91K7VNT+ulWUkE aLpJVo67vnyaeCv+0syLtFUCu9TvrIOocjg893E8pRBsX+itGJcmp+gQzilqaQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696312481; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3O1zRrWIui8ZwFTyZ1J0uq2xP4RiU5wLnhO2lbCq2pQ=; b=KIePQr8VUJRJQUOJq9HCiwJ7EYRcmuGUb0Qxj/MsHaS5DN2hNA521Nx8mr5oZBIaIjX/1O XIE+F94oPLk6e3qKuGuKPQLEptW2wT1HAxav7zZ1Sfhq9gbGECcGWJSzYzAjZ2P2PChpJc V5Pv8hyocz1tgiLB9r/+Hojm9kI9nFqjfyV2kd2Vu/BMjPPskH6JlInYuZkJTsqOVdFr0Z HhOVRsAS9AYx3bC6AUdo6H+JnJ9Tjj1hDiW9dY+07aELneJntTIA9lgTBPS0zmiYVuKG1X EJyYF4xG11KfSi/EUDP1wmfqS2npybNTzDbMbXVSTHRrO2neQwNIpHzzwoTnVA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S06Tr6tvxzjph; Tue, 3 Oct 2023 05:54:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3935seEq034737; Tue, 3 Oct 2023 05:54:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3935seMn034734; Tue, 3 Oct 2023 05:54:40 GMT (envelope-from git) Date: Tue, 3 Oct 2023 05:54:40 GMT Message-Id: <202310030554.3935seMn034734@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: 09f5c1e118bb - main - libfetch: don't rely on ca_root_nss for certificate validation List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 09f5c1e118bb4eca77b83a0d08f559b20f60aa59 Auto-Submitted: auto-generated The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=09f5c1e118bb4eca77b83a0d08f559b20f60aa59 commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59 Author: Michael Osipov AuthorDate: 2023-10-03 05:53:20 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2023-10-03 05:53:20 +0000 libfetch: don't rely on ca_root_nss for certificate validation Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059 --- lib/libfetch/common.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index fd2091791620..dfa742577585 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1055,8 +1055,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) /* * Configure peer verification based on environment. */ -#define LOCAL_CERT_FILE _PATH_LOCALBASE "/etc/ssl/cert.pem" -#define BASE_CERT_FILE "/etc/ssl/cert.pem" static int fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) { @@ -1066,12 +1064,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) if (getenv("SSL_NO_VERIFY_PEER") == NULL) { ca_cert_file = getenv("SSL_CA_CERT_FILE"); - if (ca_cert_file == NULL && - access(LOCAL_CERT_FILE, R_OK) == 0) - ca_cert_file = LOCAL_CERT_FILE; - if (ca_cert_file == NULL && - access(BASE_CERT_FILE, R_OK) == 0) - ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { fetch_info("Peer verification enabled");