Re: r253680 in CURRENT breaks GH ports and maybe others

Wed, 31 Jul 2013 06:05:51 -0700 

On 07/31/13 08:48, Michael Gmelin wrote:

On Wed, 31 Jul 2013 08:18:51 -0400
Nikolai Lifanov <lifa...@mail.lifanov.com> wrote:


r253680 enables SSL certificate verification for "fetch" command.
Ports use "fetch" to download distfiles.

At least all USE_GITHUB fetches are broken on CURRENT, and others
might be too.

What is the correct/intended way to handle master sites that use bad
SSL certificates?
Is there an intention to depend on a root certificate bundle after
this?


Hi Nikolai,

I'd suggest to either:

Install security/ca_root_nss with ETCSYMLINK enabled

or alternatively add "--no-verify-peer" to fetch args for ports (which
would make sense, since ports uses checksums anyway)

As a quick workaround you can do:

export SSL_NO_VERIFY_PEER=1
make install

It probably makes sense to modify FETCH_ARGS
in /usr/ports/Mk/bsd.port.mk to read

FETCH_ARGS?=    -AFpr --no-verify-peer

(see also man fetch(1) and fetch(3)).

Having a cert bundle *would* be nice, but like I said, the ports system
uses checksums, so the additional security probably doesn't make up for
the trouble.

Cheers,
Michael



=> Attempting to fetch
https://codeload.github.com/vermaden/beadm/legacy.tar.gz/d7d7cd3?dummy=/beadm-0.8.99.20130730.tar.gz
Certificate verification failed for /C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
34380834376:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:

- Nikolai Lifanov

_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to
"freebsd-ports-unsubscr...@freebsd.org"




I fully agree. We already checksum the *distfiles*.
It shouldn't be important what the source is.
Are there any objections to adding --no-verify-peer to FETCH_ARGS across the board? 

- Nikolai Lifanov

_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Reply via email to