Diffusion FreeBSD src repository 09f5c1e118bb

libfetch: don't rely on ca_root_nss for certificate validation
09f5c1e118bb
Actions

Description

libfetch: don't rely on ca_root_nss for certificate validation

Before certctl(8), there was no system trust store, and libfetch
relied on the CA certificate bundle from the ca_root_nss port to
verify peers.

We now have a system trust store and a reliable mechanism for
manipulating it (to explicitly add, remove, or revoke certificates),
but if ca_root_nss is installed, libfetch will still prefer that to
the system trust store.

With this change, unless explicitly overridden, libfetch will rely on
OpenSSL to pick up the default system trust store.

PR: 256902
MFC after: 3 days
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42059

Details

Provenance

michaelo	Authored on Oct 3 2023, 5:53 AM
des	Committed on Oct 3 2023, 5:53 AM

Reviewer

kevans

Differential Revision

D42059: libfetch: don't rely on ca_root_nss for certificate validation

Parents

rG0afcac3e37e9: SIGSYS: add tests

Branches

Unknown

Tags

Unknown

Event Timeline

des committed rG09f5c1e118bb: libfetch: don't rely on ca_root_nss for certificate validation (authored by michaelo).Oct 3 2023, 5:53 AM

des added an edge: D42059: libfetch: don't rely on ca_root_nss for certificate validation.

des mentioned this in rGfb058a9a40a5: libfetch: don't rely on ca_root_nss for certificate validation.Oct 5 2023, 7:26 AM

des mentioned this in rG4357ae1174f3: libfetch: don't rely on ca_root_nss for certificate validation.Oct 5 2023, 3:54 PM

des mentioned this in rGbaf69f6c9973: libfetch: don't rely on ca_root_nss for certificate validation.Oct 5 2023, 3:56 PM

des mentioned this in rG8d939b7d9845: libfetch: don't rely on ca_root_nss for certificate validation.Oct 5 2023, 3:59 PM

Changes (1)

Path

Size

lib/

libfetch/

common.c

rG09f5c1e118bb

View Options