Date: Wed, 31 Jul 2013 14:48:53 +0200 From: Michael Gmelin <freebsd@grem.de> To: Nikolai Lifanov <lifanov@mail.lifanov.com> Cc: freebsd-ports@freebsd.org Subject: Re: r253680 in CURRENT breaks GH ports and maybe others Message-ID: <20130731144853.2a13617b@bsd64.grem.de> In-Reply-To: <831982af5f96759f17d21aba62b02eb6@mail.lifanov.com> References: <831982af5f96759f17d21aba62b02eb6@mail.lifanov.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 31 Jul 2013 08:18:51 -0400 Nikolai Lifanov <lifanov@mail.lifanov.com> wrote: > r253680 enables SSL certificate verification for "fetch" command. > Ports use "fetch" to download distfiles. > > At least all USE_GITHUB fetches are broken on CURRENT, and others > might be too. > > What is the correct/intended way to handle master sites that use bad > SSL certificates? > Is there an intention to depend on a root certificate bundle after > this? Hi Nikolai, I'd suggest to either: Install security/ca_root_nss with ETCSYMLINK enabled or alternatively add "--no-verify-peer" to fetch args for ports (which would make sense, since ports uses checksums anyway) As a quick workaround you can do: export SSL_NO_VERIFY_PEER=1 make install It probably makes sense to modify FETCH_ARGS in /usr/ports/Mk/bsd.port.mk to read FETCH_ARGS?= -AFpr --no-verify-peer (see also man fetch(1) and fetch(3)). Having a cert bundle *would* be nice, but like I said, the ports system uses checksums, so the additional security probably doesn't make up for the trouble. Cheers, Michael > > => Attempting to fetch > https://codeload.github.com/vermaden/beadm/legacy.tar.gz/d7d7cd3?dummy=/beadm-0.8.99.20130730.tar.gz > Certificate verification failed for /C=US/O=DigiCert > Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 > 34380834376:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168: > > - Nikolai Lifanov > > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to > "freebsd-ports-unsubscribe@freebsd.org" -- Michael Gmelin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130731144853.2a13617b>