Page MenuHomeFreeBSD

libfetch: test for /etc/ssl/cert.pem existence to avoid masking SSL_CA_CERT_PATH

Authored by on Jan 3 2016, 11:44 PM.



Prior to this patch, unless SSL_CA_CERT_FILE is set in the environment, libfetch will set the CA file to "/usr/local/etc/cert.pem" if it exists, and to "/etc/ssl/cert.pem" otherwise. This has the consequence of masking SSL_CA_CERT_PATH, because OpenSSL will ignore the CA path if a CA file is set but fails to load (see X509_STORE_load_locations()).

While here, fall back to OpenSSL defaults if neither SSL_CA_CERT_FILE nor SSL_CA_CERT_PATH are set in the environment, and if neither of the libfetch default CA files exists.

Test Plan

Verify by test, with the help of truss, DTrace, or equivalent, that an invocation of fetch(1) accesses CA cert paths and files as intended along each of the following degrees of freedom.

  1. "/usr/local/etc/ssl/cert.pem" and "/etc/ssl/cert.pem" exist or not
  2. SSL_CA_CERT_FILE is set or not (affects libfetch)
  3. SSL_CA_CERT_PATHis set or not (affects libfetch)
  4. SSL_CERT_FILE is set or not (affects libcrypto)
  5. SSL_CERT_DIR is set or not (affects libcrypto)

Diff Detail

rS FreeBSD src repository
Lint Skipped
Unit Tests Skipped

Event Timeline retitled this revision from to libfetch: test for /etc/ssl/cert.pem existence to avoid masking SSL_CA_CERT_PATH. updated this object. edited the test plan for this revision. (Show Details) added a reviewer: des. set the repository for this revision to rS FreeBSD src repository. added a project: security. added a subscriber: koobs.
bapt added a reviewer: bapt.
bapt added a subscriber: bapt.

As been committed as rS294326 (discussed with des)

This revision is now accepted and ready to land.Jan 19 2016, 3:04 PM