HomeFreeBSD

libfetch: don't rely on ca_root_nss for certificate validation

Description

libfetch: don't rely on ca_root_nss for certificate validation

Before certctl(8), there was no system trust store, and libfetch
relied on the CA certificate bundle from the ca_root_nss port to
verify peers.

We now have a system trust store and a reliable mechanism for
manipulating it (to explicitly add, remove, or revoke certificates),
but if ca_root_nss is installed, libfetch will still prefer that to
the system trust store.

With this change, unless explicitly overridden, libfetch will rely on
OpenSSL to pick up the default system trust store.

PR: 256902
MFC after: 3 days
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42059
Approved by: re (gjb)

(cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59)
(cherry picked from commit fb058a9a40a5adc82721ed822fb4fba213446a7b)

Details

Provenance
michaeloAuthored on Oct 3 2023, 5:53 AM
desCommitted on Oct 5 2023, 3:52 PM
Reviewer
kevans
Differential Revision
D42059: libfetch: don't rely on ca_root_nss for certificate validation
Parents
rG3042b1d8159a: makefs/zfs: Ensure that the last block of a file has the right size
Branches
Unknown
Tags
Unknown