Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.
- Reply: Koichiro Iwao : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- Reply: Dag-Erling_Smørgrav : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- In reply to: Koichiro Iwao : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 07 Oct 2023 11:06:53 UTC
Oh dear, if only there was concerns raised about recent changes here that were not answered by involved committers/reviewers.
> On 7. Oct 2023, at 12:57, Koichiro Iwao <meta@freebsd.org> wrote:
>
> Hi,
>
> Some applications cannot verify SSL certificate after this update. I tried to
> rebuild wget and aria2 with the revision after recent update of ca_root_nss but
> no joy. I think all ca_root_nss consumers must be checked.
>
> % LANG=C aria2c https://www.freebsd.org/
>
> 10/07 19:45:55 [NOTICE] Downloading 1 item(s)
>
> 10/07 19:45:55 [ERROR] Failed to load trusted CA certificates from no. Cause: error:02001002:system library:fopen:No such file or directory
>
> 10/07 19:45:55 [ERROR] CUID#7 - Download aborted. URI=https://www.freebsd.org/
> Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://www.freebsd.org/
> -> [SocketCore.cc:1021] errorCode=1 SSL/TLS handshake failure: unable to get local issuer certificate
> [#2ed384 0B/0B CN:0 DL:0B]
> 10/07 19:45:56 [NOTICE] Download GID#2ed384d2f1d3b6be not complete:
>
> Download Results:
> gid |stat|avg speed |path/URI
> ======+====+===========+=======================================================
> 2ed384|ERR | 0B/s|https://www.freebsd.org/
>
> Status Legend:
> (ERR):error occurred.
>
> aria2 will resume download if the transfer is restarted.
> If there are any errors, then see the log file. See '-l' option in help/man page for details.
>
> % LANG=C wget -O - https://www.freebsd.org
> --2023-10-07 19:50:58-- https://www.freebsd.org/
> Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ...
> Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected.
> ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
> Unable to locally verify the issuer's authority.
> To connect to www.freebsd.org insecurely, use `--no-check-certificate'.
>
> % pkg info ca_root_nss
> ca_root_nss-3.93_1
> Name : ca_root_nss
> Version : 3.93_1
> Installed on : Sat Oct 7 19:26:44 2023 JST
> Origin : security/ca_root_nss
> Architecture : FreeBSD:13:*
> Prefix : /usr/local
> Categories : security
> Licenses : MPL20
> Maintainer : ports-secteam@FreeBSD.org
> WWW : UNKNOWN
> Comment : Root certificate bundle from the Mozilla Project
> Annotations :
> Flat size : 747KiB
> Description :
> Root certificates from certificate authorities included in the Mozilla
> NSS library and thus in Firefox and Thunderbird.
>
> This port directly tracks the version of NSS in the security/nss port.
>
> % pkg info aria2
> aria2-1.36.0_3
> Name : aria2
> Version : 1.36.0_3
> Installed on : Sat Oct 7 19:41:52 2023 JST
> Origin : www/aria2
> Architecture : FreeBSD:13:amd64
> Prefix : /usr/local
> Categories : www
> Licenses : GPLv2
> Maintainer : sunpoet@FreeBSD.org
> WWW : https://aria2.github.io/
> Comment : Yet another download tool
> Options :
> CARES : off
> DOCS : on
> EXPAT : off
> LIBUV : off
> LIBXML2 : on
> NLS : on
> SQLITE : on
> SSH2 : off
> STATIC : on
> Shared Libs required:
> libxml2.so.2
> libssl.so.11
> libsqlite3.so.0
> libintl.so.8
> libcrypto.so.11
> Shared Libs provided:
> libaria2.so.0
> Annotations :
> FreeBSD_version: 1302508
> cpe : cpe:2.3:a:aria2_project:aria2:1.36.0:::::freebsd13:x64:3
> Flat size : 16.5MiB
> Description :
> aria2 is a lightweight multi-protocol & multi-source command-line download
> utility. It supports HTTP/HTTPS, FTP, BitTorrent and Metalink. aria2 can be
> manipulated via built-in JSON-RPC and XML-RPC interfaces. Its features include:
> - Multi-Connection Download.
> aria2 can download a file from multiple sources/protocols and tries to utilize
> your maximum download bandwidth. Really speeds up your download experience.
> - Lightweight.
> aria2 doesn't require much memory and CPU time. The physical memory usage is
> typically 4MiB (normal HTTP/FTP downloads) to 9MiB (BitTorrent downloads). CPU
> usage in BitTorrent with download speed of 2.8MiB/sec is around 6%.
> - Fully Featured BitTorrent Client.
> All features you want in BitTorrent client are available: DHT, PEX,
> Encryption, Magnet URI, Web-Seeding, Selective Downloads and Local Peer
> Discovery.
> - Metalink Enabled.
> aria2 supports The Metalink Download Description Format (aka Metalink v4),
> Metalink version 3 and Metalink/HTTP. Metalink offers the file verification,
> HTTP/FTP/BitTorrent integration and the various configurations for language,
> location, OS, etc.
> - Remote Control.
> aria2 supports RPC interface to control the aria2 process. The supported
> interfaces are JSON-RPC (over HTTP and WebSocket) and XML-RPC.
>
> % pkg info wget
> wget-1.21.4
> Name : wget
> Version : 1.21.4
> Installed on : Sat Oct 7 19:52:03 2023 JST
> Origin : ftp/wget
> Architecture : FreeBSD:13:amd64
> Prefix : /usr/local
> Categories : www ftp
> Licenses : GPLv3+
> Maintainer : vd@FreeBSD.org
> WWW : https://www.gnu.org/s/wget/
> Comment : Retrieve files from the Net via HTTP(S) and FTP
> Options :
> DOCS : on
> GNUTLS : off
> IDN : on
> IPV6 : on
> MANPAGES : on
> METALINK : off
> NLS : on
> NTLM : off
> OPENSSL : on
> PCRE2 : off
> PSL : on
> Shared Libs required:
> libunistring.so.5
> libssl.so.11
> libpsl.so.5
> libpcre.so.1
> libintl.so.8
> libidn2.so.0
> libcrypto.so.11
> Annotations :
> FreeBSD_version: 1302508
> cpe : cpe:2.3:a:gnu:wget:1.21.4:::::freebsd13:x64
> Flat size : 3.45MiB
> Description :
> GNU wget is a free software package for retrieving files using HTTP,
> HTTPS and FTP, the most widely-used Internet protocols. It is a
> non-interactive command-line tool, so it may easily be called from
> scripts, cron jobs, terminals without X-Windows support, etc.
>
> GNU wget has many features to make retrieving large files or mirroring
> entire web or FTP sites easy, including:
>
> o Can resume aborted downloads, using REST and RANGE
> o Can use filename wild cards and recursively mirror directories
> o NLS-based message files for many different languages
> o Optionally converts absolute links in downloaded documents to
> relative, so that downloaded documents may link to each other locally
> o Supports HTTP and SOCKS proxies
> o Supports HTTP cookies
> o Supports persistent HTTP connections
> o Unattended / background operation
> o Uses local file timestamps to determine whether documents need to
> be re-downloaded when mirroring
> o GNU wget is distributed under the GNU General Public License.
>
>> On Fri, Oct 06, 2023 at 03:49:08PM +0000, Dag-Erling Smørgrav wrote:
>> The branch main has been updated by des:
>>
>> URL: https://cgit.FreeBSD.org/ports/commit/?id=483e74f44b82f20bddd5608beef74b2a5ab38a88
>>
>> commit 483e74f44b82f20bddd5608beef74b2a5ab38a88
>> Author: Dag-Erling Smørgrav <des@FreeBSD.org>
>> AuthorDate: 2023-10-06 15:45:21 +0000
>> Commit: Dag-Erling Smørgrav <des@FreeBSD.org>
>> CommitDate: 2023-10-06 15:48:57 +0000
>>
>> security/ca_root_nss: Use certctl instead of a symlink.
>>
>> MFH: 2023Q4
>> Reviewed by: fluffy, sunpoet
>> Differential Revision: https://reviews.freebsd.org/D42045
>> ---
>> security/ca_root_nss/Makefile | 12 +-----------
>> security/ca_root_nss/files/pkg-message.in | 14 --------------
>> security/ca_root_nss/pkg-plist | 6 ++----
>> 3 files changed, 3 insertions(+), 29 deletions(-)
>>
>> diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile
>> index db98535229c1..3abe00856c78 100644
>> --- a/security/ca_root_nss/Makefile
>> +++ b/security/ca_root_nss/Makefile
>> @@ -1,6 +1,6 @@
>> PORTNAME= ca_root_nss
>> PORTVERSION= ${VERSION_NSS}
>> -PORTREVISION= 0
>> +PORTREVISION= 1
>> CATEGORIES= security
>> MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
>> DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX}
>> @@ -17,14 +17,8 @@ USE_PERL5= build
>> NO_ARCH= yes
>> WRKSRC_SUBDIR= nss
>>
>> -OPTIONS_DEFINE= ETCSYMLINK
>> -OPTIONS_DEFAULT= ETCSYMLINK
>> -
>> OPTIONS_SUB= yes
>>
>> -ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem
>> -ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]*
>> -
>> CERTDIR?= share/certs
>> PLIST_SUB+= CERTDIR=${CERTDIR}
>>
>> @@ -49,8 +43,4 @@ do-install:
>> ${MKDIR} ${STAGEDIR}${PREFIX}/openssl
>> ${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
>>
>> -do-install-ETCSYMLINK-on:
>> - ${MKDIR} ${STAGEDIR}/etc/ssl
>> - ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
>> -
>> .include <bsd.port.mk>
>> diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in
>> index d937df3a0922..a28b233e6599 100644
>> --- a/security/ca_root_nss/files/pkg-message.in
>> +++ b/security/ca_root_nss/files/pkg-message.in
>> @@ -7,20 +7,6 @@ audited for trustworthiness or RFC 3647 compliance.
>>
>> Assessment and verification of trust is the complete responsibility of the
>> system administrator.
>> -
>> -
>> -This package installs symlinks to support root certificates discovery by
>> -default for software that uses OpenSSL.
>> -
>> -This enables SSL Certificate Verification by client software without manual
>> -intervention.
>> -
>> -If you prefer to do this manually, replace the following symlinks with
>> -either an empty file or your site-local certificate bundle.
>> -
>> - * /etc/ssl/cert.pem
>> - * %%PREFIX%%/etc/ssl/cert.pem
>> - * %%PREFIX%%/openssl/cert.pem
>> EOM
>> }
>> ]
>> diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist
>> index e8111772d308..ef04e1ffd140 100644
>> --- a/security/ca_root_nss/pkg-plist
>> +++ b/security/ca_root_nss/pkg-plist
>> @@ -1,6 +1,4 @@
>> %%CERTDIR%%/ca-root-nss.crt
>> -@sample etc/ssl/cert.pem.sample
>> -@sample openssl/cert.pem.sample
>> -%%ETCSYMLINK%%/etc/ssl/cert.pem
>> -%%ETCSYMLINK%%@dir /etc/ssl
>> +@postexec certctl rehash
>> +@postunexec certctl rehash
>> @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt
>
> --
> meta <meta@FreeBSD.org>
>