Page MenuHomeFreeBSD
Differential D5558

Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles
ClosedPublic
Actions

Authored by grembo on Mar 5 2016, 1:34 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Feb 13, 7:25 AM
Unknown Object (File)
Sun, Feb 9, 12:17 AM
Unknown Object (File)
Jan 17 2025, 4:26 PM
Unknown Object (File)
Jan 9 2025, 5:07 PM
Unknown Object (File)
Dec 23 2024, 10:23 PM
Unknown Object (File)
Dec 22 2024, 11:56 PM
Unknown Object (File)
Dec 11 2024, 8:14 PM
Unknown Object (File)
Dec 10 2024, 12:17 PM
View All Files
Subscribers
imp

Details

Reviewers
wblock
bapt
Group Reviewers
manpages
Commits
rS297052: Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles
Summary

r266291 and r294326 changed the lookup algorithm of CA cert bundles in
libftech, but the man pages were not adapted. This patch is an attempt to fix
this.

As both changes have been MFCed and subsequently MFHed to releng/10.3
(r266632 and r295843), I'd suggest to get those changes into 10.3 before
release.

Also did some minor fixes as suggested by igor.

Test Plan

igor
mandoc -Tlint

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

grembo updated this revision to Diff 14102.Mar 5 2016, 1:34 PM
grembo retitled this revision from to Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles.
grembo updated this object.
grembo edited the test plan for this revision. (Show Details)
grembo added a reviewer: bapt.
Herald added a reviewer: manpages. · View Herald TranscriptMar 5 2016, 1:34 PM
Herald added a subscriber: imp. · View Herald Transcript
grembo updated this revision to Diff 14103.Mar 5 2016, 1:44 PM
grembo edited edge metadata.

Also document the fact that SSLv3 is disabled by default now.

Herald edited edge metadata. · View Herald TranscriptMar 5 2016, 1:44 PM
grembo updated this revision to Diff 14104.Mar 5 2016, 1:49 PM
grembo edited edge metadata.

Add two missing environment variables.

fetch(1) should probably be updated to provide command line switches
for those new features, but as this would be a functional change, it
doesn't belong into this review (as it's supposed to be MFCed/MFHed).

Herald edited edge metadata. · View Herald TranscriptMar 5 2016, 1:49 PM
grembo added a reviewer: wblock.Mar 6 2016, 1:10 PM
wblock added inline comments.Mar 11 2016, 9:21 PM
lib/libfetch/fetch.3
403 ↗(On Diff #14104)

Probably better to say

If neither file exists, and
406 ↗(On Diff #14104)

Maybe s/apply/are used/ is clearer?

407 ↗(On Diff #14104)

Does "may" here mean "it is allowed to" or "it might"?

Maybe just s/may/can/ is correct?

541 ↗(On Diff #14104)

The \& might not be needed at all.

As far as "e.g.", how about just "like" instead?

and message, like "File is not available (404 Not Found)"
usr.bin/fetch/fetch.1
142 ↗(On Diff #14104)

As above:

If neither file exists and no CA path has been configured,
143 ↗(On Diff #14104)

s/apply/are used/ ?

144 ↗(On Diff #14104)

s/may/can/ (or "might", depending on what this is trying to say).

145 ↗(On Diff #14104)

Swap this around, not "The port security/ca_root_nss" but "The security/ca_root_nss port".

230 ↗(On Diff #14104)

Break the sentence instead of using a comma:

SSLv3 is disabled by default.
Set
231 ↗(On Diff #14104)

No comma needed here.

grembo updated this revision to Diff 14360.Mar 16 2016, 4:04 PM
grembo marked 10 inline comments as done.

Changes based on review.

Herald edited edge metadata. · View Herald TranscriptMar 16 2016, 4:04 PM
grembo added inline comments.Mar 16 2016, 4:04 PM
lib/libfetch/fetch.3
406 ↗(On Diff #14104)

They are not really actively used by fetch, but it's more like "OpenSSL does whatever it thinks is best" (I took this from the source and/or commit).

541 ↗(On Diff #14104)

I prefer that as well.

usr.bin/fetch/fetch.1
143 ↗(On Diff #14104)

see above

wblock added inline comments.Mar 17 2016, 9:39 PM
lib/libfetch/fetch.3
439 ↗(On Diff #14360)

s/In case/When/ is simpler. But it should also be more explicit:

When a PEM-format key is in a separate file from the client certificate, the environment variable
441 ↗(On Diff #14360)
can be set to point to the key file.

(PEM format has already been specified.)

grembo updated this revision to Diff 14421.Mar 18 2016, 4:02 PM
grembo marked an inline comment as done.
grembo edited edge metadata.

More updates based on @wblock's input.

Herald edited edge metadata. · View Herald TranscriptMar 18 2016, 4:02 PM
grembo marked an inline comment as done.Mar 18 2016, 4:04 PM
wblock accepted this revision.Mar 18 2016, 7:50 PM
wblock edited edge metadata.

I like it. It's a full-bodied patch that has hints of cinammon, a delicate contrast between text and background, a smooth brainfeel, and a sweet finish. I would allow this patch to walk my dog or be ignored by my cat. 5/5, would buy again.

This revision is now accepted and ready to land.Mar 18 2016, 7:50 PM
Closed by commit rS297052: Update fetch.1 and fetch.3 to reflect libfetch's actual use of CA bundles (authored by grembo). · Explain WhyMar 19 2016, 11:55 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
lib/
libfetch/
27 lines
usr.bin/
fetch/
30 lines

Diff 14440

View Options

head/lib/libfetch/fetch.3

Loading...
View Options

head/usr.bin/fetch/fetch.1

Loading...