Date: Wed, 31 Jul 2013 09:05:17 -0400 From: Nikolai Lifanov <lifanov@mail.lifanov.com> To: Michael Gmelin <freebsd@grem.de> Cc: Baptiste Daroussin <bapt@FreeBSD.org>, freebsd-ports@freebsd.org Subject: Re: r253680 in CURRENT breaks GH ports and maybe others Message-ID: <51F90B8D.4030808@mail.lifanov.com> In-Reply-To: <20130731144853.2a13617b@bsd64.grem.de> References: <831982af5f96759f17d21aba62b02eb6@mail.lifanov.com> <20130731144853.2a13617b@bsd64.grem.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/31/13 08:48, Michael Gmelin wrote: > On Wed, 31 Jul 2013 08:18:51 -0400 > Nikolai Lifanov <lifanov@mail.lifanov.com> wrote: > >> r253680 enables SSL certificate verification for "fetch" command. >> Ports use "fetch" to download distfiles. >> >> At least all USE_GITHUB fetches are broken on CURRENT, and others >> might be too. >> >> What is the correct/intended way to handle master sites that use bad >> SSL certificates? >> Is there an intention to depend on a root certificate bundle after >> this? > > Hi Nikolai, > > I'd suggest to either: > > Install security/ca_root_nss with ETCSYMLINK enabled > > or alternatively add "--no-verify-peer" to fetch args for ports (which > would make sense, since ports uses checksums anyway) > > As a quick workaround you can do: > > export SSL_NO_VERIFY_PEER=1 > make install > > It probably makes sense to modify FETCH_ARGS > in /usr/ports/Mk/bsd.port.mk to read > > FETCH_ARGS?= -AFpr --no-verify-peer > > (see also man fetch(1) and fetch(3)). > > Having a cert bundle *would* be nice, but like I said, the ports system > uses checksums, so the additional security probably doesn't make up for > the trouble. > > Cheers, > Michael > >> >> => Attempting to fetch >> https://codeload.github.com/vermaden/beadm/legacy.tar.gz/d7d7cd3?dummy=/beadm-0.8.99.20130730.tar.gz >> Certificate verification failed for /C=US/O=DigiCert >> Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 >> 34380834376:error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >> failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168: >> >> - Nikolai Lifanov >> >> _______________________________________________ >> freebsd-ports@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ports >> To unsubscribe, send any mail to >> "freebsd-ports-unsubscribe@freebsd.org" > I fully agree. We already checksum the *distfiles*. It shouldn't be important what the source is. Are there any objections to adding --no-verify-peer to FETCH_ARGS across the board? - Nikolai Lifanov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51F90B8D.4030808>