From owner-freebsd-pkg@FreeBSD.ORG Sun Jan 18 07:25:01 2015 Return-Path: Delivered-To: pkg@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 63572681 for ; Sun, 18 Jan 2015 07:25:01 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ACA2787 for ; Sun, 18 Jan 2015 07:25:01 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t0I7P1GB014606 for ; Sun, 18 Jan 2015 07:25:01 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: pkg@FreeBSD.org Subject: [Bug 191352] ports-mgmt/pkg v 1.2.7_3 does not honor the HTTP_PROXY_AUTH variable. Date: Sun, 18 Jan 2015 07:25:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: vas@mpeks.tomsk.su X-Bugzilla-Status: Open X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pkg@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2015 07:25:01 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191352 --- Comment #10 from vas@mpeks.tomsk.su --- (In reply to Baptiste Daroussin from comment #9) Did anyone care to reproduce the problem? -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-pkg@FreeBSD.ORG Mon Jan 19 11:07:43 2015 Return-Path: Delivered-To: pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 59067E59; Mon, 19 Jan 2015 11:07:43 +0000 (UTC) Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCD1AAAB; Mon, 19 Jan 2015 11:07:42 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id em10so5062330wid.3; Mon, 19 Jan 2015 03:07:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:mime-version:date:content-type:content-transfer-encoding :message-id:from:subject:to:cc:in-reply-to:references; bh=hlxhLPswqUtSwBsKW3UiosN6mqKsOA0vNMm+ilN+3vw=; b=COz3BC8HepPJnR/VN/kp2RuCKdG89SnUiD20vfLmW78rcUqKFjKXODBzVIaesfiIvJ PuoNnO2IMedSqp5ySR3AHcAiIlt9AqDPF4AAaDtnwJJcHDuZLlLgFFofLKunIBHTlQ+x qnxWofJ/e6nC1Dko4UItXS7t1D7NSvvqfyDdkYvEzINKxMuaTsOuPGb/aYg/OcFu9CFx xRi73FfD5rzAHZKXzccQCrzbNL+rCUtBjBNO625j1uBPJCOyGrK0/mZGLQ87a+BVHAKf 6BCTUZKGkryZCwruR0l7yfkwY92c+DMoyiX32S0zzGER7HNfFw5y19pTjk5QRyzxd6TP YMvQ== X-Received: by 10.180.211.169 with SMTP id nd9mr33701293wic.4.1421665657906; Mon, 19 Jan 2015 03:07:37 -0800 (PST) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by mx.google.com with ESMTPSA id ei5sm13787694wid.2.2015.01.19.03.07.36 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Jan 2015 03:07:37 -0800 (PST) Sender: Baptiste Daroussin Received: from mail.etoilebsd.net (localhost [IPv6:::1]); by ivaldir.etoilebsd.net (OpenSMTPD) with ESMTP id 936db0d3; Mon, 19 Jan 2015 12:07:36 +0100 (CET) Mime-Version: 1.0 Date: Mon, 19 Jan 2015 11:07:36 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> X-Mailer: RainLoop/1.7.2.220 From: "Baptiste Daroussin" Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD To: "Mohit Hasija" , "portmgr@FreeBSD.org" In-Reply-To: References: Cc: pkg@freebsd.org X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 11:07:43 -0000 January 1 2015 8:09 AM, "Mohit Hasija" wrot= e: =0A> Dear Pkg port Manager,=0A> =0A> We intend to use client certifica= tes for https authentication during retreival of a package from a=0A> cus= tom repository built at remote location.=0A> =0A> We want to know the fol= lowing:=0A> =0A> 1.Is there inbuilt support for usage of client certifcat= es with "pkg" comamnd on freeBSD 10.1=0A> release?=0A> =0A> In case Yes, = how can we use the client certifcates with pkg on freeBSD?=0A> =0A> In ca= se No, how can we add support to pkg with minimal effrts for using client= certifcates?=0A> =0A> Awaiting an early reply...=0A> =0A> regards=0A> = =0A> Mohit Hasija=0A> Mobile No.: +91-9958302266=0A=0Apkg(8) is using lib= fetch to handle http(s) and I'm not sure libfetch does support such featu= re.=0A=0AAdding such feature to libfetch would be great but that would al= so means it will not find its way to FreeBSD 10.1 as FreeBSD 10.1 is alre= ady released.=0A=0AFYI: I added pkg@FreeBSD.org to CC as it is the right = list to discuss such things.=0A=0ABest regards,=0ABapt From owner-freebsd-pkg@FreeBSD.ORG Mon Jan 19 11:29:09 2015 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A947E206 for ; Mon, 19 Jan 2015 11:29:09 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 339FFCA2 for ; Mon, 19 Jan 2015 11:29:09 +0000 (UTC) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t0JBStxr023623 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 19 Jan 2015 11:29:02 GMT (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t0JBStxr023623 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1421666942; bh=jaldgiium360xO2SbiqEBLqDdO4z+f3/ni7WUH9HtMA=; h=Date:From:To:Subject:References:In-Reply-To; z=Date:=20Mon,=2019=20Jan=202015=2011:28:47=20+0000|From:=20Matthew =20Seaman=20|To:=20freebsd-pkg@fr eebsd.org|Subject:=20Re:=20Please=20help=20regarding=20usage=20of= 20client=20certifcates=20with=20pkg=20command=0D=0A=20used=20on=20 freeBSD|References:=20=20<9ad51442a3c72408e067ef1d1af8ee6e@mail.eto ilebsd.net>|In-Reply-To:=20<9ad51442a3c72408e067ef1d1af8ee6e@mail. etoilebsd.net>; b=bYP3T48lnY7SP0PIxriFuBm0pO+AMWh/KPfXQQZ1Fue3UJDYZCyNXGa4THPVfvG+p ASj2TqJzKzjUwqADvA38CcQzZszLaz2eeSDo6t3FWDR6xsLDFkzNZ5GQPLYsn3h4v8 4WnNlc1hHcx9UQl8HEhWfnof6BJroBhY6EyJXuu8= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Message-ID: <54BCEA6F.9050108@infracaninophile.co.uk> Date: Mon, 19 Jan 2015 11:28:47 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: freebsd-pkg@freebsd.org Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD References: <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> In-Reply-To: <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt" X-Virus-Scanned: clamav-milter 0.98.5 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 11:29:09 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/19/15 11:07, Baptiste Daroussin wrote: > January 1 2015 8:09 AM, "Mohit Hasija" wr= ote:=20 >> Dear Pkg port Manager, >> >> We intend to use client certificates for https authentication during r= etreival of a package from a >> custom repository built at remote location. >> >> We want to know the following: >> >> 1.Is there inbuilt support for usage of client certifcates with "pkg" = comamnd on freeBSD 10.1 >> release? >> >> In case Yes, how can we use the client certifcates with pkg on freeBSD= ? >> >> In case No, how can we add support to pkg with minimal effrts for usin= g client certifcates? >> >> Awaiting an early reply... >> >> regards >> >> Mohit Hasija >> Mobile No.: +91-9958302266 >=20 > pkg(8) is using libfetch to handle http(s) and I'm not sure libfetch do= es support such feature. >=20 > Adding such feature to libfetch would be great but that would also mean= s it will not find its way to FreeBSD 10.1 as FreeBSD 10.1 is already rel= eased. >=20 > FYI: I added pkg@FreeBSD.org to CC as it is the right list to discuss s= uch things. This should be possible -- see the fetch(3) man page, especially the ENVIRONMENT section where it mentions amongst other things: SSL_CLIENT_CERT_FILE PEM encoded client certificate/key which will be used in client certificate authentication. SSL_CLIENT_KEY_FILE PEM encoded client key in case key and client cer- tificate are stored separately. Simply set those environment variables to appropriate values and it should just work. You may need to add settings to tell fetch(3) to trust the server certificates. If you can make the client cert authentication work with fetch(1) -- which might be easier to debug -- then it should work with pkg(8). Do let us know how you get on. Cheers, Matthew --fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUvOp3XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnawYQAID1y1DixyUxk/YMD6ibN9Ku JqwEZiu4N4WGMlkfKzOhlSWT/kHZjaYn05llcOkkSZJLZ71czBzpnqDlZzj1dwVD JLXEmwRcr5avTDRZD7UG2N5XXEk3/To+NZ7lSRha/h14o0rffjGYahBc/PIkQaQA vZW3mQUsEfUBW7CRun1c/l2i1BI41P1zh/VGXTe5isxY1KkF0AjD+hqtdTj0kV21 Bjyslzp6ldU9s9zEv6J2agMGmy4rakZbtpwQCjgAASQTTaAmwM1lUXu8hwTeWHmT KVoEsMxrAaE4Lchf+6ZhxoEhnWnVLlNG3+Rfuywy/P23ECW0NWFfLLQLkBExtpk4 ZtRf1TQeA4JbA1J/JSSg5X5gMeVuq0VyrE7uEIxP8n+dW3BYWlps3oCB/2Ds7AUY kJcNSMo9xv30++wFTjVScj4yztd1mAWN3L7QmPMd4sVa1wu3oXo4z96C3a4YGMPi sb9I5nzBGmXmY0ffR44uunaTLZrk2BET54BeXFQfu9nqsrxHM0TFIpuVV177fgzE DAnH8JF/S61CF0EwW8gESrkV39MpUQ0eyvmT8GMc5Mnt1gTYlugitCBicQXuGYAH 56wQtR004U5ylzIBS/+Le1AtdrTUV0taoQbrmz7CAkfd/TWKOdznl4809pvIzOHt ccYpQqYlpf7v3sU0RUhX =TVEh -----END PGP SIGNATURE----- --fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt-- From owner-freebsd-pkg@FreeBSD.ORG Mon Jan 19 12:28:35 2015 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A54FEC for ; Mon, 19 Jan 2015 12:28:35 +0000 (UTC) Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0BF6F347 for ; Mon, 19 Jan 2015 12:28:35 +0000 (UTC) Received: by mail-we0-f170.google.com with SMTP id x3so4721962wes.1 for ; Mon, 19 Jan 2015 04:28:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:mime-version:date:content-type:content-transfer-encoding :message-id:from:subject:to:in-reply-to:references; bh=DVyxRvHERcxGlG0X1VjS4yCbnpdyr47UCyttjkKhbIw=; b=ZC8fbUDSB2kbyVhrCUKw5CBuvAkYqnQ3sgFkgEZo+CSBn6FAGTepKuuELdTAv9wN88 N08A2FVtuI5jZGrlzx+te64BCgN3FtFpcqeNhCVq84GLUIfy46t/mTBg6n0o0b2p56mP 0H41AFr0CCbgPoKoVwBf1+Qx+vJtlix28ulAFpY+m7ZTq5tsrfbwRCi+qx78x5fWIfgt /PD996ll0XvB5fTUQK0dEX2q7tH3I0I/ip+FrusGDUNmJAfv53qrgYUjfw3pVzLZF8jT MhMyttVmVnnkPjh+P+bN5NtiWIdiSfcylggsZJdILt1afWhut2E6s7meQkFlUWshx5zv lgOw== X-Received: by 10.194.48.11 with SMTP id h11mr58745046wjn.23.1421670513461; Mon, 19 Jan 2015 04:28:33 -0800 (PST) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by mx.google.com with ESMTPSA id gz7sm14012258wib.22.2015.01.19.04.28.29 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Jan 2015 04:28:30 -0800 (PST) Sender: Baptiste Daroussin Received: from mail.etoilebsd.net (localhost [IPv6:::1]); by ivaldir.etoilebsd.net (OpenSMTPD) with ESMTP id 15a4610c; for ; Mon, 19 Jan 2015 13:28:29 +0100 (CET) Mime-Version: 1.0 Date: Mon, 19 Jan 2015 12:28:29 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20972e667a7be6d86a3689c18e916b1f@mail.etoilebsd.net> X-Mailer: RainLoop/1.7.2.220 From: "Baptiste Daroussin" Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD To: freebsd-pkg@freebsd.org In-Reply-To: <54BCEA6F.9050108@infracaninophile.co.uk> References: <54BCEA6F.9050108@infracaninophile.co.uk> <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 12:28:35 -0000 January 19 2015 12:29 PM, "Matthew Seaman" wrote: =0A> On 01/19/15 11:07, Baptiste Daroussin wrote:=0A> =0A>> Ja= nuary 1 2015 8:09 AM, "Mohit Hasija" wrote:= =0A>>> Dear Pkg port Manager,=0A>>> =0A>>> We intend to use client certi= ficates for https authentication during retreival of a package from=0A>> = a=0A>>> custom repository built at remote location.=0A>>> =0A>>> We want = to know the following:=0A>>> =0A>>> 1.Is there inbuilt support for usage = of client certifcates with "pkg" comamnd on freeBSD 10.1=0A>>> release?= =0A>>> =0A>>> In case Yes, how can we use the client certifcates with pkg= on freeBSD?=0A>>> =0A>>> In case No, how can we add support to pkg with = minimal effrts for using client certifcates?=0A>>> =0A>>> Awaiting an ear= ly reply...=0A>>> =0A>>> regards=0A>>> =0A>>> Mohit Hasija=0A>>> Mobile N= o.: +91-9958302266=0A>> =0A>> pkg(8) is using libfetch to handle http(s) = and I'm not sure libfetch does support such feature.=0A>> =0A>> Adding su= ch feature to libfetch would be great but that would also means it will n= ot find its way=0A>> to FreeBSD 10.1 as FreeBSD 10.1 is already released.= =0A>> =0A>> FYI: I added pkg@FreeBSD.org to CC as it is the right list to= discuss such things.=0A> =0A> This should be possible -- see the fetch(3= ) man page, especially the=0A> ENVIRONMENT section where it mentions amon= gst other things:=0A> =0A> SSL_CLIENT_CERT_FILE=0A> PEM encoded client ce= rtificate/key which will be used=0A> in client certificate authentication= .=0A> =0A> SSL_CLIENT_KEY_FILE=0A> PEM encoded client key in case key and= client cer-=0A> tificate are stored separately.=0A> =0A> Simply set thos= e environment variables to appropriate values and it=0A> should just work= . You may need to add settings to tell fetch(3) to=0A> trust the server c= ertificates. If you can make the client cert=0A> authentication work with= fetch(1) -- which might be easier to debug --=0A> then it should work wi= th pkg(8). Do let us know how you get on.=0A> =0A> Cheers,=0A=0Aif it wor= ks with those environment variable, then you can add them right into your= pkg.conf=0APKG_ENV: {=0A SSL_CLIENT_CERT_FILE: ...=0A SSL_CLIENT_KEY_F= ILE: ...=0A} From owner-freebsd-pkg@FreeBSD.ORG Mon Jan 19 12:58:18 2015 Return-Path: Delivered-To: pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 343D5A10; Mon, 19 Jan 2015 12:58:18 +0000 (UTC) Received: from MXMEG6.TechMahindra.com (mxmeg10.techmahindra.com [203.143.186.188]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.TechMahindra.com", Issuer "DigiCert High Assurance CA-3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F1DCA907; Mon, 19 Jan 2015 12:58:14 +0000 (UTC) Received: from NODEXCHMBX001.TechMahindra.com (unknown [10.13.0.153]) by MXMEG6.TechMahindra.com with smtp (TLS: TLSv1/SSLv3,256bits,AES256-SHA) id 4311_bccc_aa11608c_d396_41cc_9fa9_b1d1aa8e2d5c; Mon, 19 Jan 2015 18:14:14 +0530 Received: from NODEXCHMBX003.TechMahindra.com (10.13.0.156) by NODEXCHMBX001.TechMahindra.com (10.13.0.153) with Microsoft SMTP Server (TLS) id 15.0.847.32; Mon, 19 Jan 2015 18:14:55 +0530 Received: from NODEXCHMBX003.TechMahindra.com ([fe80::f159:b7fa:6569:c930]) by NODEXCHMBX003.TechMahindra.com ([fe80::f159:b7fa:6569:c930%15]) with mapi id 15.00.0847.030; Mon, 19 Jan 2015 18:14:55 +0530 From: Mohit Hasija To: Baptiste Daroussin , "pkg@freebsd.org" Subject: RE: Please help regarding usage of client certifcates with pkg command used on freeBSD Thread-Topic: Please help regarding usage of client certifcates with pkg command used on freeBSD Thread-Index: AQHQJZDkv5fvscECTkOWDEmZvyynhZzHCO0AgAB1S00= Date: Mon, 19 Jan 2015 12:44:54 +0000 Message-ID: <005efbaf6e8a4d6fa6800a5e25383d26@NODEXCHMBX003.TechMahindra.com> References: , <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> In-Reply-To: <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.13.163.10] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-NAIMIME-Disclaimer: 1 X-NAIMIME-Modified: 1 X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 12:58:18 -0000 Dear Baptiste, we have found from the pkg source code that the environment variables SSL= _CLIENT_CERT_FILE and SSL_CLIENT_KEY_FILE are required to be set before u= sing client certificates with pkg. In order to automate the setting of environment variables, before pkg beg= ins https authentication with a remote repository server, we decided to u= se plugins feature of pkg.We decided to write a callback function that wo= uld be called at appropriate time and set the environment variables. However, after much R&D, we could not find any HOOK that could be used to= register a callback function, which could be called before https authent= ication takes place. Hence, we have decided to use pkg_plugin_init() function for setting the = environment variables.This function is called every time a pkg command is= executed and hence we can set the environment variables.In pkg_plugin_sh= utdown() function, we can remove the environment variables. Please suggest any better method to set the environment variables or prov= ide your feedback on our approach. regards Mohit Hasija Mobile No.: +91-9958302266 ________________________________________ From: Baptiste Daroussin on behalf of Bapt= iste Daroussin Sent: Monday, January 19, 2015 4:37 PM To: Mohit Hasija; portmgr@FreeBSD.org Cc: pkg@freebsd.org Subject: Re: Please help regarding usage of client certifcates with pkg c= ommand used on freeBSD January 1 2015 8:09 AM, "Mohit Hasija" wrot= e: > Dear Pkg port Manager, > > We intend to use client certificates for https authentication during re= treival of a package from a > custom repository built at remote location. > > We want to know the following: > > 1.Is there inbuilt support for usage of client certifcates with "pkg" c= omamnd on freeBSD 10.1 > release? > > In case Yes, how can we use the client certifcates with pkg on freeBSD? > > In case No, how can we add support to pkg with minimal effrts for using= client certifcates? > > Awaiting an early reply... > > regards > > Mohit Hasija > Mobile No.: +91-9958302266 pkg(8) is using libfetch to handle http(s) and I'm not sure libfetch does= support such feature. Adding such feature to libfetch would be great but that would also means = it will not find its way to FreeBSD 10.1 as FreeBSD 10.1 is already relea= sed. FYI: I added pkg@FreeBSD.org to CC as it is the right list to discuss suc= h things. Best regards, Bapt =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D Disclaimer: This message and the information contained herein is proprie= tary and confidential and subject to the Tech Mahindra policy statement, = you may review the policy at http://www.techmahindra.com/Disclaimer.html = externally http://tim.techmahindra.com/tim/disclaimer.html internally wit= hin TechMahindra.=0D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D From owner-freebsd-pkg@FreeBSD.ORG Mon Jan 19 13:02:48 2015 Return-Path: Delivered-To: pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06EE2AA7 for ; Mon, 19 Jan 2015 13:02:48 +0000 (UTC) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 880779D3 for ; Mon, 19 Jan 2015 13:02:47 +0000 (UTC) Received: by mail-wi0-f175.google.com with SMTP id fb4so8980540wid.2 for ; Mon, 19 Jan 2015 05:02:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:mime-version:date:content-type:content-transfer-encoding :message-id:from:subject:to:in-reply-to:references; bh=+1kmhPyaqSNoynzhTzf2wiEQEJIVTuvqd2845qD9W9s=; b=I/v2vILjJ3RWZVSSG1hWONvYPQ3wQQySpYjZTvYa2xKAK5OmmVUaw03KJkV0s/EQxf xgjk5Q/RpJrzMJfj+0Xexg/+b7lvY/1KtMFUwCO3kb7nQEqtN5p3IHHQRW1F1P9RdKaD /zhd64fJc4fGGrp/SHVeZ1NDf4ROxtnBPfxP8mbxrOlEMOPsaTS7OA7KgWFXAowDeBks lFA+Rxo3t6yWNK3j7IuiyPm7V1NhAwKpeBr0+87hu5I7WAY5VBdYmdG1X8OeUaA9XnKF a59ELKoj28wNPwo0/PaOFXZLs5NoJ4ikSm1zHQmAz90te31QasrHSkGaDXZHvH7+uj41 x61w== X-Received: by 10.195.12.15 with SMTP id em15mr60783614wjd.80.1421672565954; Mon, 19 Jan 2015 05:02:45 -0800 (PST) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by mx.google.com with ESMTPSA id fc6sm14128381wib.12.2015.01.19.05.02.44 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Jan 2015 05:02:45 -0800 (PST) Sender: Baptiste Daroussin Received: from mail.etoilebsd.net (localhost [IPv6:::1]); by ivaldir.etoilebsd.net (OpenSMTPD) with ESMTP id f473e663; Mon, 19 Jan 2015 14:02:44 +0100 (CET) Mime-Version: 1.0 Date: Mon, 19 Jan 2015 13:02:44 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <76584af2ed2d6623840009646a6df861@mail.etoilebsd.net> X-Mailer: RainLoop/1.7.2.220 From: "Baptiste Daroussin" Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD To: "Mohit Hasija" , pkg@freebsd.org In-Reply-To: <005efbaf6e8a4d6fa6800a5e25383d26@NODEXCHMBX003.TechMahindra.com> References: <005efbaf6e8a4d6fa6800a5e25383d26@NODEXCHMBX003.TechMahindra.com> , <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 13:02:48 -0000 January 19 2015 1:58 PM, "Mohit Hasija" wro= te: =0A> Dear Baptiste,=0A> =0A> we have found from the pkg source code t= hat the environment variables SSL_CLIENT_CERT_FILE and=0A> SSL_CLIENT_KEY= _FILE are required to be set before using client certificates with pkg.= =0A> =0A> In order to automate the setting of environment variables, befo= re pkg begins https authentication=0A> with a remote repository server, w= e decided to use plugins feature of pkg.We decided to write a=0A> callbac= k function that would be called at appropriate time and set the environme= nt variables.=0A> However, after much R&D, we could not find any HOOK tha= t could be used to register a callback=0A> function, which could be calle= d before https authentication takes place.=0A> =0A> Hence, we have decide= d to use pkg_plugin_init() function for setting the environment variables= .This=0A> function is called every time a pkg command is executed and hen= ce we can set the environment=0A> variables.In pkg_plugin_shutdown() func= tion, we can remove the environment variables.=0A> =0A> Please suggest an= y better method to set the environment variables or provide your feedback= on our=0A> approach.=0A> =0A=0APKG_ENV in pkg.conf is exactly designed f= or that=0A=0ABest regards,=0ABapt From owner-freebsd-pkg@FreeBSD.ORG Wed Jan 21 00:07:48 2015 Return-Path: Delivered-To: freebsd-pkg@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3BDACC6 for ; Wed, 21 Jan 2015 00:07:48 +0000 (UTC) Received: from mail.kulturflatrate.net (mail.kulturflatrate.net [46.163.119.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3196E1BB for ; Wed, 21 Jan 2015 00:07:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.kulturflatrate.net (Postfix) with ESMTP id A7700F5ACDB6; Wed, 21 Jan 2015 00:56:59 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at kulturflatrate.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 required=6.31 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham Received: from mail.kulturflatrate.net ([127.0.0.1]) by localhost (mail.kulturflatrate.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCHZHG0rqsG8; Wed, 21 Jan 2015 00:56:24 +0100 (CET) Received: from len-x61s.klaas (122.210.broadband18.iol.cz [109.81.210.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kulturflatrate.net (Postfix) with ESMTPSA id 160D0F5ACDB5; Wed, 21 Jan 2015 00:56:14 +0100 (CET) Received: by len-x61s.klaas (Postfix, from userid 1000) id 1359FE231E; Wed, 21 Jan 2015 00:58:00 +0100 (CET) Date: Wed, 21 Jan 2015 00:58:00 +0100 From: Niklaas Baudet von Gersdorff To: freebsd-pkg@freebsd.org Subject: Working with multiple repositories Message-ID: <20150120235800.GA13299@len-x61s.klaas> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: http://www.kulturflatrate.net/niklaas/niklaas-baudet-von-gersdorff.asc User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pkg@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Binary package management and package tools discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2015 00:07:48 -0000 Hi, I have a server with several jails running. Works great and I am pretty amazed. Recently I installed `poudriere` and finally managed to create my own `pkg` repositories. At this stage I have two: one general one and another one with specific compile options for all the jails that run `postfix` and `dovecot`. In the second repository `postfix` is compiled with SASL support and in the first one it isn't. Access to my repositories works very fine from every jail but I still have not figured out how to specify that the second repository needs to be taken for `postfix` in one of the jails. `man pkg-repository` says: WORKING WITH MULTIPLE REPOSITORIES Where several different repositories are configured pkg will search amongst them all in the order specified, unless directed to use a single repository by the -r flag to pkg-fetch(8), pkg-install(8), pkg-upgrade(8), pkg-search(8) or pkg-rquery(8). The search order is as displayed in the output of pkg -v -v Works fine, I can see both repositories. Where several different versions of the same package are available, pkg will select the one with the highest version to install or to upgrade an installed package to, even if a lower numbered version can be found in a repository earlier in the list. This applies even if an explicit version is stated on the command line. Thus if packages example-1.0.0 and example-1.0.1 are available in configured repositories, then pkg install example-1.0.0 will actually result in example-1.0.1 being installed. To override this behaviour, on first installation of the package select the repository with the appropriate version: pkg install -r repo-a example-1.0.0 and then to make updates to that package ``sticky'' to the same reposi- tory, add an annotation to the package: pkg annotate -A example repository repo-a Unfortunately, does not work. I forced a reinstall of postfix with `pkg install -f postfix -r second-repository` and after that did pkg annotate -A postfix repository second-repository but another `pkg upgrade` wants to install the package from first-repository (since options changed). I am not sure whether I might misunderstand the context of the man page. I do _not_ want to install a specific version but from a specific repository. Though, the way I understand it above commands should work and another `pkg upgrade` should result in an "everything is fine" message (since already the newest version from second-repository is installed) and not try to install from first-repository again. How can I specify that a package _always_ is installed from a repository that is not listed as the first one in `/usr/local/etc/pkg/repos/`? Any help is very much appreciated. -- Niklaas