svn commit: r378720 - in head/security/ca_root_nss: . files
Kubilay Kocak
koobs at FreeBSD.org
Mon Feb 9 09:44:29 UTC 2015
Author: koobs
Date: Mon Feb 9 09:44:28 2015
New Revision: 378720
URL: https://svnweb.freebsd.org/changeset/ports/378720
QAT: https://qat.redports.org/buildarchive/r378720/
Log:
security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers
Since 2.7.9, Python verifies SSL certificates by default. Currently,
even with security/ca_root_nss installed, Python fails certificate
verification.
Upon investigation, Python uses OpenSSL's standard
SSL_CTX_load_verify_locations function to load a list of CA root
certificates.
Support was added to ca_root_nss for "out of the box" certificate
verification for a number of base utilities in r372629 [1], but this
did not include support for software that uses OpenSSL's
SSL_CTX_load_verify_locations function.
[1] https://svnweb.freebsd.org/changeset/ports/372629
OpenSSL defaults (at compile time) to the following paths and filenames
for certificate and CAFile lookup:
Base:
SSL_CERT_DIR=/etc/ssl/certs
SSL_CERT_FILE/etc/ssl/cert.pem
Ports:
SSL_CERT_DIR=/usr/local/openssl/certs
SSL_CERT_FILE=/usr/local/openssl/cert.pem
This change installs a symlink which points to the root certificate
bundle in the location that OpenSSL from ports looks for them.
This allows any and all software utilising SSL_CTX_load_verify_locations
function to verify SSL certificates by default after installation of
this package.
Additionally, display a pkg-message to the user about the lack of
warranty associated with these certificates.
Note: This is *NOT* related to solving for SSL certificate verification
for OpenSSL in Base, which is covered in bug 189811.
While I'm here:
- Add LICENSE
- Use options helpers and OPTIONS_SUB
- Fix typo in !!! message !!!
PR: 196431
Submitted by: koobs
Reviewed by: jbeich
Approved by: maintainer timeout (1 month)
Added:
head/security/ca_root_nss/files/pkg-message.in (contents, props changed)
Modified:
head/security/ca_root_nss/Makefile
head/security/ca_root_nss/pkg-plist
Modified: head/security/ca_root_nss/Makefile
==============================================================================
--- head/security/ca_root_nss/Makefile Mon Feb 9 08:53:10 2015 (r378719)
+++ head/security/ca_root_nss/Makefile Mon Feb 9 09:44:28 2015 (r378720)
@@ -2,15 +2,21 @@
PORTNAME= ca_root_nss
PORTVERSION= ${VERSION_NSS}
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX}
MAINTAINER= gecko at FreeBSD.org
-COMMENT= The root certificate bundle from the Mozilla Project
+COMMENT= Root certificate bundle from the Mozilla Project
+
+LICENSE= MPL
+
+OPTIONS_DEFINE= ETCSYMLINK
+OPTIONS_SUB= yes
-OPTIONS_DEFINE= ETCSYMLINK
ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem
+ETCSYMLINK_CONFLICTS= ca-roots-[0-9]*
USES= perl5
USE_PERL5= build
@@ -21,7 +27,7 @@ CERTDIR?= share/certs
PLIST_SUB+= CERTDIR=${CERTDIR}
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-# !!! These versions are indented to track security/nss. !!!
+# !!! These versions are intended to track security/nss. !!!
# !!! Please DO NOT submit patches for new version until it has !!!
# !!! been committed there first. !!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@@ -29,18 +35,12 @@ VERSION_NSS= 3.17.4
#NSS_SUFFIX= .with.ckbi.1.93
CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt
BUNDLE_PROCESSOR= MAca-bundle.pl
-SUB_FILES= MAca-bundle.pl
+
+SUB_FILES= MAca-bundle.pl pkg-message
SUB_LIST= VERSION_NSS=${VERSION_NSS}
.include <bsd.port.options.mk>
-.if ${PORT_OPTIONS:METCSYMLINK}
-PLIST_SUB+= ETCSYMLINK=
-CONFLICTS= ca-roots-[0-9]*
-.else
-PLIST_SUB+= ETCSYMLINK="@comment "
-.endif
-
do-extract:
@${MKDIR} ${WRKDIR}
@${TAR} -C ${WRKDIR} -xf ${DISTDIR}/nss-${VERSION_NSS}${NSS_SUFFIX}${EXTRACT_SUFX} \
@@ -63,6 +63,8 @@ post-install:
${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
.endif
${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl
- ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem
+ ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
+ ${MKDIR} ${STAGEDIR}${PREFIX}/openssl
+ ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
.include <bsd.port.mk>
Added: head/security/ca_root_nss/files/pkg-message.in
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/ca_root_nss/files/pkg-message.in Mon Feb 9 09:44:28 2015 (r378720)
@@ -0,0 +1,25 @@
+********************************* WARNING *********************************
+
+FreeBSD does not, and can not warrant that the certificate authorities
+whose certificates are included in this package have in any way been
+audited for trustworthiness or RFC 3647 compliance.
+
+Assessment and verification of trust is the complete responsibility of the
+system administrator.
+
+*********************************** NOTE **********************************
+
+This package installs symlinks to support root certificates discovery by
+default for software that uses OpenSSL.
+
+This enables SSL Certificate Verification by client software without manual
+intervention.
+
+If you prefer to do this manually, replace the following symlinks with
+either an empty file or your site-local certificate bundle.
+
+ * /etc/ssl/cert.pem
+ * %%PREFIX%%/etc/ssl/cert.pem
+ * %%PREFIX%%/openssl/cert.pem
+
+***************************************************************************
Modified: head/security/ca_root_nss/pkg-plist
==============================================================================
--- head/security/ca_root_nss/pkg-plist Mon Feb 9 08:53:10 2015 (r378719)
+++ head/security/ca_root_nss/pkg-plist Mon Feb 9 09:44:28 2015 (r378720)
@@ -1,3 +1,4 @@
%%CERTDIR%%/ca-root-nss.crt
-etc/ssl/cert.pem
+ at sample etc/ssl/cert.pem.sample
+ at sample openssl/cert.pem.sample
%%ETCSYMLINK%%/etc/ssl/cert.pem
More information about the svn-ports-head
mailing list