This is 95% of the ports that currently use ca_root_nss. Some have a
CA_BUNDLE option that I've not yet touched, because... it's not clear to
me what we want to do there, or if the options can just be
dropped/replaced.
Details
Details
Diff Detail
Diff Detail
- Repository
- rP FreeBSD ports repository
- Lint
No Lint Coverage - Unit
No Test Coverage - Build Status
Buildable 40977 Build 37866: arc lint + arc unit
Event Timeline
| dns/libasr-devel/Makefile | ||
|---|---|---|
| 17 | It looks like the ca_root_nss dependency was removed from libasr-devel/Makefile, but caroot wasn't added to USES. The CA_BUNDLE option switched the default CA location to ${LOCALBASE}, but without USES=caroot, /etc/ssl/cert.pem will be a stub on pre-certctl machines. | |
| mail/mpop/Makefile | ||
| 48 | mail/mpop/Makefile doesn't have USES=caroot. Will that not just be a stub on older machines? | |
Comment Actions
Awesome to see this! Thank you Kyle.
I do not fully understand the purpose of caroot here for the following reasoning:
- I cannot find caroot in /usr/ports/Mk. How is this supposed to work?
- If an application uses OpenSSL from base and calls SSL_CTX_set_default_verify_paths()/SSL_CTX_set_default_verify_dir() or any other TLs implementation which is reads /etc/ssl/certs by default it will work out of the box.
- If an application does not call SSL_CTX_set_default_verify_paths()/SSL_CTX_set_default_verify_dir(), but uses SSL_CTX_load_verify_locations() with the hardcoded location of ca_root_nss there is no way for us to know w/o looking into the code.
- If an application uses OpenSSL from ports, the following applies and there is no trust store. Same applies for libressl/libressl-devel.
Here are two similar issues related to trust stores: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060 and https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256902
OpenSSL from ports:
OPENSSLDIR: "/usr/local/openssl"
LibreSSL:
OPENSSLDIR: "/usr/local/etc/ssl"
Comment Actions
The answer to this question answers most of your others, see here: https://reviews.freebsd.org/D31487; it's entirely "pull in the dependency on FreeBSD versions that don't have a root trust store installed in base"
- If an application uses OpenSSL from base and calls SSL_CTX_set_default_verify_paths()/SSL_CTX_set_default_verify_dir() or any other TLs implementation which is reads /etc/ssl/certs by default it will work out of the box.
- If an application does not call SSL_CTX_set_default_verify_paths()/SSL_CTX_set_default_verify_dir(), but uses SSL_CTX_load_verify_locations() with the hardcoded location of ca_root_nss there is no way for us to know w/o looking into the code.
- If an application uses OpenSSL from ports, the following applies and there is no trust store. Same applies for libressl/libressl-devel.
Here are two similar issues related to trust stores: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253060 and https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256902
OpenSSL from ports:
OPENSSLDIR: "/usr/local/openssl"LibreSSL:
OPENSSLDIR: "/usr/local/etc/ssl"
I'll circle back on the rest within a couple days... this patch still needs a bit of fine-tuning.