new certificate for svn.freebsd.org?

[Matthew Seaman]

On 18/06/2016 05:40, Ben Steel via freebsd-stable wrote:
> It's not just you, Wolfgang. See bug 210332 at bugs.freebsd.org.
> The new certificate is in place on the 4 mirrors that I found (US East,
> US West, UK, Russia) but didn't verify cleanly and wasn't in the
> documentation.
> 
> For me, the fix was in Dimitry's mail, a step I probably missed when
> installing security/ca_root_nss:
> 
> sudo ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

There's an option in the ca_root_nss port to create the symlink, which
is enabled by default.  That option only exists because the ports are
not supposed to touch anything outside /usr/local -- except that for
this port, not creating the symlink for /etc/ssl/cert.pm pretty much
renders the whole port pointless.

Even so, the option used to be off by default: the change to 'on by
default' was made almost exactly a year ago, and there have been several
changes to the list of certs since, so not having the symlink in place
indicates either that you haven't updated your ports recently, or that
you've specifically chosen not to enable the symlink.  In which case you
wouldn't have been able to validate the previous cert either.

There really is no excuse for not updating the ca_root_nss port
immediately there are updates available.  Otherwise you can end up
trusting certificates that have since been shown to be less than
trustworthy.

That you couldn't verify the cert is not a bug in FreeBSD, but a
configuration problem in your own system.  Not having the right
fingerprint in the docs certainly is a bug which I'm sure will be
addressed soon.

	Cheers,

	Matthew




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20160618/2edb873e/attachment.sig>