From nobody Thu Oct 05 15:53:44 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S1bh837Sdz4vrNj;
	Thu,  5 Oct 2023 15:53:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S1bh82VHVz3Kn1;
	Thu,  5 Oct 2023 15:53:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1696521224;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=r1lnMj3u3MjG+uBWoeeSr4FpzJOw02nKRl5Qc4bwSpY=;
	b=ROME49/hraRgM6ph0nkErYCghcVZrJ7Z22rUe4mvh3X0jHzUgy7TCqzYXCO7Hiiw2cFc2V
	jthDVhIbZmhAPYUYJ3ktzRQMfabr/CHhEyXIaFFxXVVkzYyqbkXwVy6wOy0vH6wB2s8/Ox
	JwS0kcJUvBPZ+wJR43syTsKeqVIE82NENCsFwrgzoejU+r0zi7egFyra/OUReJHpymsfbA
	WaPUqwnjahi2DBSmoThPrguGZAAw90S/iZU7Gt5CmAN/d+iYtcwFY2lNX+iIUl3kdZF/UX
	VQfu2R5i/m/4ULI7bsGZs7YEx8zw9BsKctd883CNyYjYYfmL/LhC8Qr4uuyp1w==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696521224; a=rsa-sha256; cv=none;
	b=bWe7ll08JJmSynOoMbiJ7WTdH3JhpYtuI/+qRtg1I25VQWAR3XafIVHPtfzmv2Y3wxEXNa
	lNst+Hy4D/Mwj/D8HNSRe/Tl5pCc7p5UAmHPyknyXf0MOPNC43YH8BR2UOh0M/l7pRVTKX
	9au5/usnXD5c0eayPvOvVqMouPZKi80lLUenV3+U2WQVKKCtxcR0Y/5VaEjZ6ABduixCwG
	YzWtJWXVzrYI2GPNyDoGqjtubMS0SEW9aJdgk9FLVDEksTnVLLOSaFeiMxQl8FCSvWVLhE
	Ulnqu9GTwkAgJGtxXQGxuo/JCHlTb12KLhWLhX6MBgeAx7s1XuSuihQpwgS3pQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1696521224;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=r1lnMj3u3MjG+uBWoeeSr4FpzJOw02nKRl5Qc4bwSpY=;
	b=o6SStZ1UYKSPLP7+22l/i6eRz8U3SMgyRLGETnP07jA6rvvJ07nx21/N2zK+iegp9BRxht
	0jbhcxuQ5drQHiwUxx8HSjcZAvZkoYpQYcHlbCrmqZRQuYNEq0f/Lbdu1LMgUMMV4sxSMY
	dqk/Eqqp+4jnWiFggb9SApuIhJEjjZWFH8fZcf0zYW34nhCG46rx5nFKaQv0dLvNh+zaRB
	OaUNUKl/bW+qinUaQE/bP0VSyHUhaLKfGMOIvrSZE2jE2sXZDSUIP72Ji6dv/Hk5rnbEW7
	RqJS085YtgXvjgRFF7LxvU+KGX+jFkBr6JfTGaYuoY9C9uypS2ZSLw4gXwdEnA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S1bh81Xhsz1Q89;
	Thu,  5 Oct 2023 15:53:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 395Fripd046271;
	Thu, 5 Oct 2023 15:53:44 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 395FriGk046268;
	Thu, 5 Oct 2023 15:53:44 GMT
	(envelope-from git)
Date: Thu, 5 Oct 2023 15:53:44 GMT
Message-Id: <202310051553.395FriGk046268@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org>
Subject: git: 4357ae1174f3 - releng/14.0 - libfetch: don't rely on
  ca_root_nss for certificate validation
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/14.0
X-Git-Reftype: branch
X-Git-Commit: 4357ae1174f37fa2c10f7de7c05536f23e7439c4
Auto-Submitted: auto-generated

The branch releng/14.0 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=4357ae1174f37fa2c10f7de7c05536f23e7439c4

commit 4357ae1174f37fa2c10f7de7c05536f23e7439c4
Author:     Michael Osipov <michael.osipov@siemens.com>
AuthorDate: 2023-10-03 05:53:20 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2023-10-05 15:52:43 +0000

    libfetch: don't rely on ca_root_nss for certificate validation
    
    Before certctl(8), there was no system trust store, and libfetch
    relied on the CA certificate bundle from the ca_root_nss port to
    verify peers.
    
    We now have a system trust store and a reliable mechanism for
    manipulating it (to explicitly add, remove, or revoke certificates),
    but if ca_root_nss is installed, libfetch will still prefer that to
    the system trust store.
    
    With this change, unless explicitly overridden, libfetch will rely on
    OpenSSL to pick up the default system trust store.
    
    PR:             256902
    MFC after:      3 days
    Reviewed by:    kevans
    Differential Revision:  https://reviews.freebsd.org/D42059
    Approved by:    re (gjb)
    
    (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59)
    (cherry picked from commit fb058a9a40a5adc82721ed822fb4fba213446a7b)
---
 lib/libfetch/common.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index fd2091791620..dfa742577585 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -1055,8 +1055,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
 /*
  * Configure peer verification based on environment.
  */
-#define LOCAL_CERT_FILE	_PATH_LOCALBASE "/etc/ssl/cert.pem"
-#define BASE_CERT_FILE	"/etc/ssl/cert.pem"
 static int
 fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 {
@@ -1066,12 +1064,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
 
 	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
 		ca_cert_file = getenv("SSL_CA_CERT_FILE");
-		if (ca_cert_file == NULL &&
-		    access(LOCAL_CERT_FILE, R_OK) == 0)
-			ca_cert_file = LOCAL_CERT_FILE;
-		if (ca_cert_file == NULL &&
-		    access(BASE_CERT_FILE, R_OK) == 0)
-			ca_cert_file = BASE_CERT_FILE;
 		ca_cert_path = getenv("SSL_CA_CERT_PATH");
 		if (verbose) {
 			fetch_info("Peer verification enabled");