On Wed, 31 Jul 2013 08:18:51 -0400 Nikolai Lifanov <lifa...@mail.lifanov.com> wrote:
> r253680 enables SSL certificate verification for "fetch" command. > Ports use "fetch" to download distfiles. > > At least all USE_GITHUB fetches are broken on CURRENT, and others > might be too. > > What is the correct/intended way to handle master sites that use bad > SSL certificates? > Is there an intention to depend on a root certificate bundle after > this? Hi Nikolai, I'd suggest to either: Install security/ca_root_nss with ETCSYMLINK enabled or alternatively add "--no-verify-peer" to fetch args for ports (which would make sense, since ports uses checksums anyway) As a quick workaround you can do: export SSL_NO_VERIFY_PEER=1 make install It probably makes sense to modify FETCH_ARGS in /usr/ports/Mk/bsd.port.mk to read FETCH_ARGS?= -AFpr --no-verify-peer (see also man fetch(1) and fetch(3)). Having a cert bundle *would* be nice, but like I said, the ports system uses checksums, so the additional security probably doesn't make up for the trouble. Cheers, Michael > > => Attempting to fetch > https://codeload.github.com/vermaden/beadm/legacy.tar.gz/d7d7cd3?dummy=/beadm-0.8.99.20130730.tar.gz > Certificate verification failed for /C=US/O=DigiCert > Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 > 34380834376:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168: > > - Nikolai Lifanov > > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to > "freebsd-ports-unsubscr...@freebsd.org" -- Michael Gmelin _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
