Date: Mon, 19 Jan 2015 11:28:47 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-pkg@freebsd.org Subject: Re: Please help regarding usage of client certifcates with pkg command used on freeBSD Message-ID: <54BCEA6F.9050108@infracaninophile.co.uk> In-Reply-To: <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net> References: <afee7e679b57440a9006c1d5ba6892c1@NODEXCHMBX001.TechMahindra.com> <9ad51442a3c72408e067ef1d1af8ee6e@mail.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 01/19/15 11:07, Baptiste Daroussin wrote:
> January 1 2015 8:09 AM, "Mohit Hasija" <mh00122988@techmahindra.com> wr=
ote:=20
>> Dear Pkg port Manager,
>>
>> We intend to use client certificates for https authentication during r=
etreival of a package from a
>> custom repository built at remote location.
>>
>> We want to know the following:
>>
>> 1.Is there inbuilt support for usage of client certifcates with "pkg" =
comamnd on freeBSD 10.1
>> release?
>>
>> In case Yes, how can we use the client certifcates with pkg on freeBSD=
?
>>
>> In case No, how can we add support to pkg with minimal effrts for usin=
g client certifcates?
>>
>> Awaiting an early reply...
>>
>> regards
>>
>> Mohit Hasija
>> Mobile No.: +91-9958302266
>=20
> pkg(8) is using libfetch to handle http(s) and I'm not sure libfetch do=
es support such feature.
>=20
> Adding such feature to libfetch would be great but that would also mean=
s it will not find its way to FreeBSD 10.1 as FreeBSD 10.1 is already rel=
eased.
>=20
> FYI: I added pkg@FreeBSD.org to CC as it is the right list to discuss s=
uch things.
This should be possible -- see the fetch(3) man page, especially the
ENVIRONMENT section where it mentions amongst other things:
SSL_CLIENT_CERT_FILE
PEM encoded client certificate/key which will be used
in client certificate authentication.
SSL_CLIENT_KEY_FILE
PEM encoded client key in case key and client cer-
tificate are stored separately.
Simply set those environment variables to appropriate values and it
should just work. You may need to add settings to tell fetch(3) to
trust the server certificates. If you can make the client cert
authentication work with fetch(1) -- which might be easier to debug --
then it should work with pkg(8). Do let us know how you get on.
Cheers,
Matthew
--fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJUvOp3XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnawYQAID1y1DixyUxk/YMD6ibN9Ku
JqwEZiu4N4WGMlkfKzOhlSWT/kHZjaYn05llcOkkSZJLZ71czBzpnqDlZzj1dwVD
JLXEmwRcr5avTDRZD7UG2N5XXEk3/To+NZ7lSRha/h14o0rffjGYahBc/PIkQaQA
vZW3mQUsEfUBW7CRun1c/l2i1BI41P1zh/VGXTe5isxY1KkF0AjD+hqtdTj0kV21
Bjyslzp6ldU9s9zEv6J2agMGmy4rakZbtpwQCjgAASQTTaAmwM1lUXu8hwTeWHmT
KVoEsMxrAaE4Lchf+6ZhxoEhnWnVLlNG3+Rfuywy/P23ECW0NWFfLLQLkBExtpk4
ZtRf1TQeA4JbA1J/JSSg5X5gMeVuq0VyrE7uEIxP8n+dW3BYWlps3oCB/2Ds7AUY
kJcNSMo9xv30++wFTjVScj4yztd1mAWN3L7QmPMd4sVa1wu3oXo4z96C3a4YGMPi
sb9I5nzBGmXmY0ffR44uunaTLZrk2BET54BeXFQfu9nqsrxHM0TFIpuVV177fgzE
DAnH8JF/S61CF0EwW8gESrkV39MpUQ0eyvmT8GMc5Mnt1gTYlugitCBicQXuGYAH
56wQtR004U5ylzIBS/+Le1AtdrTUV0taoQbrmz7CAkfd/TWKOdznl4809pvIzOHt
ccYpQqYlpf7v3sU0RUhX
=TVEh
-----END PGP SIGNATURE-----
--fM4fdqkRmqJLHgrkE3GNAPlF0xMoIkSHt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54BCEA6F.9050108>