Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.
- Reply: Franco Fichtner : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- Reply: Dag-Erling_Smørgrav : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- Reply: Dag-Erling_Smørgrav : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 07 Oct 2023 10:56:54 UTC
Hi, Some applications cannot verify SSL certificate after this update. I tried to rebuild wget and aria2 with the revision after recent update of ca_root_nss but no joy. I think all ca_root_nss consumers must be checked. % LANG=C aria2c https://www.freebsd.org/ 10/07 19:45:55 [NOTICE] Downloading 1 item(s) 10/07 19:45:55 [ERROR] Failed to load trusted CA certificates from no. Cause: error:02001002:system library:fopen:No such file or directory 10/07 19:45:55 [ERROR] CUID#7 - Download aborted. URI=https://www.freebsd.org/ Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://www.freebsd.org/ -> [SocketCore.cc:1021] errorCode=1 SSL/TLS handshake failure: unable to get local issuer certificate [#2ed384 0B/0B CN:0 DL:0B] 10/07 19:45:56 [NOTICE] Download GID#2ed384d2f1d3b6be not complete: Download Results: gid |stat|avg speed |path/URI ======+====+===========+======================================================= 2ed384|ERR | 0B/s|https://www.freebsd.org/ Status Legend: (ERR):error occurred. aria2 will resume download if the transfer is restarted. If there are any errors, then see the log file. See '-l' option in help/man page for details. % LANG=C wget -O - https://www.freebsd.org --2023-10-07 19:50:58-- https://www.freebsd.org/ Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ... Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected. ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US': Unable to locally verify the issuer's authority. To connect to www.freebsd.org insecurely, use `--no-check-certificate'. % pkg info ca_root_nss ca_root_nss-3.93_1 Name : ca_root_nss Version : 3.93_1 Installed on : Sat Oct 7 19:26:44 2023 JST Origin : security/ca_root_nss Architecture : FreeBSD:13:* Prefix : /usr/local Categories : security Licenses : MPL20 Maintainer : ports-secteam@FreeBSD.org WWW : UNKNOWN Comment : Root certificate bundle from the Mozilla Project Annotations : Flat size : 747KiB Description : Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. This port directly tracks the version of NSS in the security/nss port. % pkg info aria2 aria2-1.36.0_3 Name : aria2 Version : 1.36.0_3 Installed on : Sat Oct 7 19:41:52 2023 JST Origin : www/aria2 Architecture : FreeBSD:13:amd64 Prefix : /usr/local Categories : www Licenses : GPLv2 Maintainer : sunpoet@FreeBSD.org WWW : https://aria2.github.io/ Comment : Yet another download tool Options : CARES : off DOCS : on EXPAT : off LIBUV : off LIBXML2 : on NLS : on SQLITE : on SSH2 : off STATIC : on Shared Libs required: libxml2.so.2 libssl.so.11 libsqlite3.so.0 libintl.so.8 libcrypto.so.11 Shared Libs provided: libaria2.so.0 Annotations : FreeBSD_version: 1302508 cpe : cpe:2.3:a:aria2_project:aria2:1.36.0:::::freebsd13:x64:3 Flat size : 16.5MiB Description : aria2 is a lightweight multi-protocol & multi-source command-line download utility. It supports HTTP/HTTPS, FTP, BitTorrent and Metalink. aria2 can be manipulated via built-in JSON-RPC and XML-RPC interfaces. Its features include: - Multi-Connection Download. aria2 can download a file from multiple sources/protocols and tries to utilize your maximum download bandwidth. Really speeds up your download experience. - Lightweight. aria2 doesn't require much memory and CPU time. The physical memory usage is typically 4MiB (normal HTTP/FTP downloads) to 9MiB (BitTorrent downloads). CPU usage in BitTorrent with download speed of 2.8MiB/sec is around 6%. - Fully Featured BitTorrent Client. All features you want in BitTorrent client are available: DHT, PEX, Encryption, Magnet URI, Web-Seeding, Selective Downloads and Local Peer Discovery. - Metalink Enabled. aria2 supports The Metalink Download Description Format (aka Metalink v4), Metalink version 3 and Metalink/HTTP. Metalink offers the file verification, HTTP/FTP/BitTorrent integration and the various configurations for language, location, OS, etc. - Remote Control. aria2 supports RPC interface to control the aria2 process. The supported interfaces are JSON-RPC (over HTTP and WebSocket) and XML-RPC. % pkg info wget wget-1.21.4 Name : wget Version : 1.21.4 Installed on : Sat Oct 7 19:52:03 2023 JST Origin : ftp/wget Architecture : FreeBSD:13:amd64 Prefix : /usr/local Categories : www ftp Licenses : GPLv3+ Maintainer : vd@FreeBSD.org WWW : https://www.gnu.org/s/wget/ Comment : Retrieve files from the Net via HTTP(S) and FTP Options : DOCS : on GNUTLS : off IDN : on IPV6 : on MANPAGES : on METALINK : off NLS : on NTLM : off OPENSSL : on PCRE2 : off PSL : on Shared Libs required: libunistring.so.5 libssl.so.11 libpsl.so.5 libpcre.so.1 libintl.so.8 libidn2.so.0 libcrypto.so.11 Annotations : FreeBSD_version: 1302508 cpe : cpe:2.3:a:gnu:wget:1.21.4:::::freebsd13:x64 Flat size : 3.45MiB Description : GNU wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols. It is a non-interactive command-line tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc. GNU wget has many features to make retrieving large files or mirroring entire web or FTP sites easy, including: o Can resume aborted downloads, using REST and RANGE o Can use filename wild cards and recursively mirror directories o NLS-based message files for many different languages o Optionally converts absolute links in downloaded documents to relative, so that downloaded documents may link to each other locally o Supports HTTP and SOCKS proxies o Supports HTTP cookies o Supports persistent HTTP connections o Unattended / background operation o Uses local file timestamps to determine whether documents need to be re-downloaded when mirroring o GNU wget is distributed under the GNU General Public License. On Fri, Oct 06, 2023 at 03:49:08PM +0000, Dag-Erling Smørgrav wrote: > The branch main has been updated by des: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=483e74f44b82f20bddd5608beef74b2a5ab38a88 > > commit 483e74f44b82f20bddd5608beef74b2a5ab38a88 > Author: Dag-Erling Smørgrav <des@FreeBSD.org> > AuthorDate: 2023-10-06 15:45:21 +0000 > Commit: Dag-Erling Smørgrav <des@FreeBSD.org> > CommitDate: 2023-10-06 15:48:57 +0000 > > security/ca_root_nss: Use certctl instead of a symlink. > > MFH: 2023Q4 > Reviewed by: fluffy, sunpoet > Differential Revision: https://reviews.freebsd.org/D42045 > --- > security/ca_root_nss/Makefile | 12 +----------- > security/ca_root_nss/files/pkg-message.in | 14 -------------- > security/ca_root_nss/pkg-plist | 6 ++---- > 3 files changed, 3 insertions(+), 29 deletions(-) > > diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile > index db98535229c1..3abe00856c78 100644 > --- a/security/ca_root_nss/Makefile > +++ b/security/ca_root_nss/Makefile > @@ -1,6 +1,6 @@ > PORTNAME= ca_root_nss > PORTVERSION= ${VERSION_NSS} > -PORTREVISION= 0 > +PORTREVISION= 1 > CATEGORIES= security > MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src > DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} > @@ -17,14 +17,8 @@ USE_PERL5= build > NO_ARCH= yes > WRKSRC_SUBDIR= nss > > -OPTIONS_DEFINE= ETCSYMLINK > -OPTIONS_DEFAULT= ETCSYMLINK > - > OPTIONS_SUB= yes > > -ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem > -ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]* > - > CERTDIR?= share/certs > PLIST_SUB+= CERTDIR=${CERTDIR} > > @@ -49,8 +43,4 @@ do-install: > ${MKDIR} ${STAGEDIR}${PREFIX}/openssl > ${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample > > -do-install-ETCSYMLINK-on: > - ${MKDIR} ${STAGEDIR}/etc/ssl > - ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem > - > .include <bsd.port.mk> > diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in > index d937df3a0922..a28b233e6599 100644 > --- a/security/ca_root_nss/files/pkg-message.in > +++ b/security/ca_root_nss/files/pkg-message.in > @@ -7,20 +7,6 @@ audited for trustworthiness or RFC 3647 compliance. > > Assessment and verification of trust is the complete responsibility of the > system administrator. > - > - > -This package installs symlinks to support root certificates discovery by > -default for software that uses OpenSSL. > - > -This enables SSL Certificate Verification by client software without manual > -intervention. > - > -If you prefer to do this manually, replace the following symlinks with > -either an empty file or your site-local certificate bundle. > - > - * /etc/ssl/cert.pem > - * %%PREFIX%%/etc/ssl/cert.pem > - * %%PREFIX%%/openssl/cert.pem > EOM > } > ] > diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist > index e8111772d308..ef04e1ffd140 100644 > --- a/security/ca_root_nss/pkg-plist > +++ b/security/ca_root_nss/pkg-plist > @@ -1,6 +1,4 @@ > %%CERTDIR%%/ca-root-nss.crt > -@sample etc/ssl/cert.pem.sample > -@sample openssl/cert.pem.sample > -%%ETCSYMLINK%%/etc/ssl/cert.pem > -%%ETCSYMLINK%%@dir /etc/ssl > +@postexec certctl rehash > +@postunexec certctl rehash > @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt -- meta <meta@FreeBSD.org>