From owner-svn-ports-all@FreeBSD.ORG Mon Feb 9 09:44:29 2015 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 99068F0C; Mon, 9 Feb 2015 09:44:29 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8436F762; Mon, 9 Feb 2015 09:44:29 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t199iTOu038031; Mon, 9 Feb 2015 09:44:29 GMT (envelope-from koobs@FreeBSD.org) Received: (from koobs@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t199iSbn038027; Mon, 9 Feb 2015 09:44:28 GMT (envelope-from koobs@FreeBSD.org) Message-Id: <201502090944.t199iSbn038027@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: koobs set sender to koobs@FreeBSD.org using -f From: Kubilay Kocak Date: Mon, 9 Feb 2015 09:44:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r378720 - in head/security/ca_root_nss: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2015 09:44:29 -0000 Author: koobs Date: Mon Feb 9 09:44:28 2015 New Revision: 378720 URL: https://svnweb.freebsd.org/changeset/ports/378720 QAT: https://qat.redports.org/buildarchive/r378720/ Log: security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers Since 2.7.9, Python verifies SSL certificates by default. Currently, even with security/ca_root_nss installed, Python fails certificate verification. Upon investigation, Python uses OpenSSL's standard SSL_CTX_load_verify_locations function to load a list of CA root certificates. Support was added to ca_root_nss for "out of the box" certificate verification for a number of base utilities in r372629 [1], but this did not include support for software that uses OpenSSL's SSL_CTX_load_verify_locations function. [1] https://svnweb.freebsd.org/changeset/ports/372629 OpenSSL defaults (at compile time) to the following paths and filenames for certificate and CAFile lookup: Base: SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_FILE/etc/ssl/cert.pem Ports: SSL_CERT_DIR=/usr/local/openssl/certs SSL_CERT_FILE=/usr/local/openssl/cert.pem This change installs a symlink which points to the root certificate bundle in the location that OpenSSL from ports looks for them. This allows any and all software utilising SSL_CTX_load_verify_locations function to verify SSL certificates by default after installation of this package. Additionally, display a pkg-message to the user about the lack of warranty associated with these certificates. Note: This is *NOT* related to solving for SSL certificate verification for OpenSSL in Base, which is covered in bug 189811. While I'm here: - Add LICENSE - Use options helpers and OPTIONS_SUB - Fix typo in !!! message !!! PR: 196431 Submitted by: koobs Reviewed by: jbeich Approved by: maintainer timeout (1 month) Added: head/security/ca_root_nss/files/pkg-message.in (contents, props changed) Modified: head/security/ca_root_nss/Makefile head/security/ca_root_nss/pkg-plist Modified: head/security/ca_root_nss/Makefile ============================================================================== --- head/security/ca_root_nss/Makefile Mon Feb 9 08:53:10 2015 (r378719) +++ head/security/ca_root_nss/Makefile Mon Feb 9 09:44:28 2015 (r378720) @@ -2,15 +2,21 @@ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} MAINTAINER= gecko@FreeBSD.org -COMMENT= The root certificate bundle from the Mozilla Project +COMMENT= Root certificate bundle from the Mozilla Project + +LICENSE= MPL + +OPTIONS_DEFINE= ETCSYMLINK +OPTIONS_SUB= yes -OPTIONS_DEFINE= ETCSYMLINK ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem +ETCSYMLINK_CONFLICTS= ca-roots-[0-9]* USES= perl5 USE_PERL5= build @@ -21,7 +27,7 @@ CERTDIR?= share/certs PLIST_SUB+= CERTDIR=${CERTDIR} # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -# !!! These versions are indented to track security/nss. !!! +# !!! These versions are intended to track security/nss. !!! # !!! Please DO NOT submit patches for new version until it has !!! # !!! been committed there first. !!! # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! @@ -29,18 +35,12 @@ VERSION_NSS= 3.17.4 #NSS_SUFFIX= .with.ckbi.1.93 CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt BUNDLE_PROCESSOR= MAca-bundle.pl -SUB_FILES= MAca-bundle.pl + +SUB_FILES= MAca-bundle.pl pkg-message SUB_LIST= VERSION_NSS=${VERSION_NSS} .include -.if ${PORT_OPTIONS:METCSYMLINK} -PLIST_SUB+= ETCSYMLINK= -CONFLICTS= ca-roots-[0-9]* -.else -PLIST_SUB+= ETCSYMLINK="@comment " -.endif - do-extract: @${MKDIR} ${WRKDIR} @${TAR} -C ${WRKDIR} -xf ${DISTDIR}/nss-${VERSION_NSS}${NSS_SUFFIX}${EXTRACT_SUFX} \ @@ -63,6 +63,8 @@ post-install: ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem .endif ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl - ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem + ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample + ${MKDIR} ${STAGEDIR}${PREFIX}/openssl + ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample .include Added: head/security/ca_root_nss/files/pkg-message.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/ca_root_nss/files/pkg-message.in Mon Feb 9 09:44:28 2015 (r378720) @@ -0,0 +1,25 @@ +********************************* WARNING ********************************* + +FreeBSD does not, and can not warrant that the certificate authorities +whose certificates are included in this package have in any way been +audited for trustworthiness or RFC 3647 compliance. + +Assessment and verification of trust is the complete responsibility of the +system administrator. + +*********************************** NOTE ********************************** + +This package installs symlinks to support root certificates discovery by +default for software that uses OpenSSL. + +This enables SSL Certificate Verification by client software without manual +intervention. + +If you prefer to do this manually, replace the following symlinks with +either an empty file or your site-local certificate bundle. + + * /etc/ssl/cert.pem + * %%PREFIX%%/etc/ssl/cert.pem + * %%PREFIX%%/openssl/cert.pem + +*************************************************************************** Modified: head/security/ca_root_nss/pkg-plist ============================================================================== --- head/security/ca_root_nss/pkg-plist Mon Feb 9 08:53:10 2015 (r378719) +++ head/security/ca_root_nss/pkg-plist Mon Feb 9 09:44:28 2015 (r378720) @@ -1,3 +1,4 @@ %%CERTDIR%%/ca-root-nss.crt -etc/ssl/cert.pem +@sample etc/ssl/cert.pem.sample +@sample openssl/cert.pem.sample %%ETCSYMLINK%%/etc/ssl/cert.pem