Page MenuHomeFreeBSD
Differential D42059

libfetch: don't rely on ca_root_nss for certificate validation
ClosedPublic
Actions

Authored by des on Oct 3 2023, 3:57 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 25, 2:28 PM
Unknown Object (File)
Mon, Nov 25, 2:28 PM
Unknown Object (File)
Mon, Nov 25, 2:28 PM
Unknown Object (File)
Mon, Nov 25, 2:06 PM
Unknown Object (File)
Sat, Nov 23, 1:05 AM
Unknown Object (File)
Oct 6 2024, 9:40 PM
Unknown Object (File)
Oct 6 2024, 9:40 PM
Unknown Object (File)
Oct 6 2024, 9:40 PM
View All 39 Files
Subscribers
imp

Details

Reviewers
kevans
Commits
rG8d939b7d9845: libfetch: don't rely on ca_root_nss for certificate validation
rGbaf69f6c9973: libfetch: don't rely on ca_root_nss for certificate validation
rG4357ae1174f3: libfetch: don't rely on ca_root_nss for certificate validation
rGfb058a9a40a5: libfetch: don't rely on ca_root_nss for certificate validation
rG09f5c1e118bb: libfetch: don't rely on ca_root_nss for certificate validation
Summary

Before certctl(8), there was no system trust store, and libfetch
relied on the CA certificate bundle from the ca_root_nss port to
verify peers.

We now have a system trust store and a reliable mechanism for
manipulating it (to explicitly add, remove, or revoke certificates),
but if ca_root_nss is installed, libfetch will still prefer that to
the system trust store.

With this change, unless explicitly overridden, libfetch will rely on
OpenSSL to pick up the default system trust store.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
lib/
libfetch/
8 lines

Diff 128149

View Options

lib/libfetch/common.c

Loading...