Please help regarding usage of client certifcates with pkg command used on freeBSD

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Jan 19 11:29:09 UTC 2015 

On 01/19/15 11:07, Baptiste Daroussin wrote:
> January 1 2015 8:09 AM, "Mohit Hasija" <mh00122988 at techmahindra.com> wrote: 
>> Dear Pkg port Manager,
>>
>> We intend to use client certificates for https authentication during retreival of a package from a
>> custom repository built at remote location.
>>
>> We want to know the following:
>>
>> 1.Is there inbuilt support for usage of client certifcates with "pkg" comamnd on freeBSD 10.1
>> release?
>>
>> In case Yes, how can we use the client certifcates with pkg on freeBSD?
>>
>> In case No, how can we add support to pkg with minimal effrts for using client certifcates?
>>
>> Awaiting an early reply...
>>
>> regards
>>
>> Mohit Hasija
>> Mobile No.: +91-9958302266
> 
> pkg(8) is using libfetch to handle http(s) and I'm not sure libfetch does support such feature.
> 
> Adding such feature to libfetch would be great but that would also means it will not find its way to FreeBSD 10.1 as FreeBSD 10.1 is already released.
> 
> FYI: I added pkg at FreeBSD.org to CC as it is the right list to discuss such things.

This should be possible -- see the fetch(3) man page, especially the
ENVIRONMENT section where it mentions amongst other things:

 SSL_CLIENT_CERT_FILE
                 PEM encoded client certificate/key which will be used
                 in client certificate authentication.

 SSL_CLIENT_KEY_FILE
                 PEM encoded client key in case key and client cer-
                 tificate are stored separately.

Simply set those environment variables to appropriate values and it
should just work.  You may need to add settings to tell fetch(3) to
trust the server certificates. If you can make the client cert
authentication work with fetch(1) -- which might be easier to debug --
then it should work with pkg(8).  Do let us know how you get on.

	Cheers,

	Matthew



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-pkg/attachments/20150119/408752f5/attachment.sig>

More information about the freebsd-pkg mailing list