From nobody Sun Oct 08 19:04:38 2023 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S3Wn56CVYz4wv7b; Sun, 8 Oct 2023 19:04:41 +0000 (UTC) (envelope-from tijl@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S3Wn55knHz4HSM; Sun, 8 Oct 2023 19:04:41 +0000 (UTC) (envelope-from tijl@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696791881; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TFwagdiHhVPX4GwRu86WNXZzRuK2qohdh2yUTCqK1eA=; b=r8LPcAVLG0j1C4ezUWbOL7xMtEZ4j4gu9THtlSyMPs6ykh7pQZpvpfAhys2TCJ4K92atut RxESvh4f1N36NEIoBCs3AHGflt6yDHHXKOso2WL8SK8KkHC6gX3kgAMQXcaaS8d7hliMuw dmAFFYlWQZBiowWk93b41aXsNXkcsScs37+XzHBVkBc8c4wBdmFXu+HSYoxR/+HyjTOmIg PzAo1ir0lAlcsgZqgOzgcVRjKayI4SZ5njVJNHwbU46DhQgk36yTg2wVyD1DcAc6Xl6aid BVKf7+MFbV/2TaqrDVuhAtl5fVjnqh8U1w6NaF1nzZ8XymbFFPC7SGID2p0ZRw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696791881; a=rsa-sha256; cv=none; b=R7wGO18O3DvaMBqRlc17QVW8tw9xOdGKPW/OqmqfpU+kFCQF8NqWKu1/DnUxwmEX9iITcY hkCxDpgpGkB/ooFYIJDQ7dagQRJrfuK6xBjr6JmZ/XHMBSZOn9L/NrDFgvsw4KzA89jTsW E6VgUtpqkNa3by8QO0wK0Mkelgd1GPN+EW7mtKrKfZO6Eacr6LWFi+Qn8c8orLXMFBdkr6 5IylgzA0ZXeTtONsp20ge3EHGV7+W4zIHmq6y+Jo1eS0sw5OFgwKuxNXCSyebCNubWYbno 2P/VqMSgjoysULldtXrzlroevE+Qoq4kUzvOXejaPFjYzMImsJYaFRtS8u2c5Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696791881; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TFwagdiHhVPX4GwRu86WNXZzRuK2qohdh2yUTCqK1eA=; b=J+Mus9D0Jzid3cACkxacR8lS8T3iBFU7gxkpYFWfNpZFcw3MBrdCLax/0IUXtjgs0uRSey tzZCVhQRP0UxRo9mNZxw59SBmcTwVQKT4I4icsxk/cVfWlNgDX1u+8vYx7tPFFoUIABnNW FfwINQUqMWfYoyroD1UeoQXQSY4km5xQEf7ne6289S1GItxetCSjkecjZBsDuKdFoMeC2g m1kUavr712m/fAwsjoujuraxp1oju0K3xIDQLFs6O4Nx5e/lrB+WdAKJfZV/S+dXM860vy aVpzGYxGt7/WkRv+ewqquxDMpA5d42pu/k7yn4J33nQgbls6W429HF1rcxMnVg== Received: from hal.tijl.coosemans.org (unknown [IPv6:2a02:a03f:894b:4700:5b0:6141:7d1a:2857]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: tijl) by smtp.freebsd.org (Postfix) with ESMTPSA id 4S3Wn46BKCz1LQH; Sun, 8 Oct 2023 19:04:40 +0000 (UTC) (envelope-from tijl@FreeBSD.org) Date: Sun, 8 Oct 2023 21:04:38 +0200 From: =?UTF-8?B?VMSzbA==?= Coosemans To: Koichiro Iwao Cc: Dag-Erling =?UTF-8?B?U23DuHJncmF2?= , ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, ports@freebsd.org Subject: Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink. Message-ID: <20231008210438.1d6f0953@hal.tijl.coosemans.org> In-Reply-To: References: <202310061549.396Fn8xF027032@gitrepo.freebsd.org> <868r8eeja5.fsf@ltc.des.no> List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, 8 Oct 2023 04:56:43 +0900 Koichiro Iwao wrote: > On Sat, Oct 07, 2023 at 09:03:19PM +0900, Koichiro Iwao wrote: >> On Sat, Oct 07, 2023 at 01:58:26PM +0200, Dag-Erling Sm=C3=B8rgrav wrote= : =20 >>> Koichiro Iwao writes: =20 >>>> % LANG=3DC wget -O - https://www.freebsd.org >>>> --2023-10-07 19:50:58-- https://www.freebsd.org/ >>>> Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2= 405:f000:202:2541::50:3, 192.50.199.250, ... >>>> Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:= 443... connected. >>>> ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=3DR3= ,O=3DLet\'s Encrypt,C=3DUS': >>>> Unable to locally verify the issuer's authority. >>>> To connect to www.freebsd.org insecurely, use `--no-check-certificate'= . =20 >>>=20 >>> I'm unable to reproduce this on 13.2. Running wget under ktrace shows >>> that although it first looks for the nonexistent bundle, it correctly >>> falls back to the system trust store. =20 >=20 > Regarding wget, it was an issue with security/openssl. >=20 > I'm using openssl from ports: > > DEFAULT_VERSIONS+=3D ssl=3Dopenssl =20 >=20 > As far as I tried debugging with ktrace, security/openssl doesn't > fallback to /etc/ssl/certs directory. >=20 > % LANG=3DC ktrace wget -O /dev/null https://www.freebsd.org/ > --2023-10-08 04:32:45-- https://www.freebsd.org/ > Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405= :f000:202:2541::50:3, 210.231.212.93, ... > Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443= ... connected. > ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=3DR3,O= =3DLet\'s Encrypt,C=3DUS': > Unable to locally verify the issuer's authority. > To connect to www.freebsd.org insecurely, use `--no-check-certificate'. >=20 > % kdump -tn |grep -e "/etc" -e "certs" > 28088 wget NAMI "/etc/libmap.conf" > 28088 wget NAMI "/usr/local/etc/libmap.d" > 28088 wget NAMI "/usr/local/etc/libmap.d/mesa.conf" > 28088 wget NAMI "/etc/malloc.conf" > 28088 wget NAMI "/usr/local/etc/wgetrc" > 28088 wget NAMI "/usr/local/etc/wgetrc" > 28088 wget NAMI "/etc/localtime" > 28088 wget NAMI "/etc/nsswitch.conf" > 28088 wget NAMI "/etc/nsswitch.conf" > 28088 wget NAMI "/etc/hosts" > 28088 wget NAMI "/etc/resolv.conf" > 28088 wget NAMI "/usr/local/openssl/certs/8d33f237.0" > 28088 wget NAMI "/usr/local/openssl/certs/4042bcee.0" > 28088 wget NAMI "/usr/local/openssl/certs/2e5ac55d.0" > 28088 wget NAMI "/usr/local/openssl/certs/2e5ac55d.0" > 28088 wget NAMI "/usr/local/openssl/certs/bfabe37b.0" >=20 > % ls -l /usr/local/openssl/certs > (empty) >=20 > # rmdir /usr/local/openssl/certs > # ln -s /etc/ssl/certs /usr/local/openssl >=20 > So I replaced /usr/local/openssl/certs directory with a symlink to > /etc/ssl/certs directory. The workaround worked perfectly. >=20 > The security/openssl port might need some adjustment. After ca_root_nss > quit providing /usr/local/openssl/cert.pem symlink, /etc/ssl/certs should > be added to the search path. Otherwise, openssl port cannot find root > certificates installed by ca_root_nss. There's a patch for security/openssl in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269473