[Bug 228621] [patch] Certificate validation error in ntpd leap file / ietf.org chain

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228621

Jeremy Chadwick <jdc at koitsu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jdc at koitsu.org

--- Comment #3 from Jeremy Chadwick <jdc at koitsu.org> ---
I haven't seen this error myself and I bet many users haven't as well.  My
theory is that this is because we happen to have ca_root_nss installed via pkg
(a.k.a. security/ca_root_nss in ports). This is a common dependency in many
different packages.

ca_root_nss package is responsible for creating /usr/local/etc/ssl/cert.pem,
which base system OpenSSL (libssl.so.8) reads/honours.  You can verify this
with truss.

pkg info -l ca_root_nss will not show this file in its packaging list because
of how ca_root_nss works.  Some part of the pkg/port creates a hard link of
/usr/local/etc/ssl/cert.pem --> /usr/local/share/certs/ca-root-nss.crt, of
which the latter *is* in the package list.  The pkg-message says it uses a
symlink but this is false; see PR 228550 for details.

This is really part of a bigger problem that is the whole "base system"
concept, but I don't want to get off-topic.  The --no-verify-peer kludge should
be acceptable, though I would strongly suggest asking secteam@ first.

-- 
You are receiving this mail because:
You are on the CC list for the bug.