aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Osipov <michael.osipov@siemens.com>2023-10-03 05:53:20 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2023-10-05 15:52:43 +0000
commit4357ae1174f37fa2c10f7de7c05536f23e7439c4 (patch)
tree0b06ca99a040aa8fb1e0b6592fa8584a95cf442f
parent3042b1d8159a44faa2bac8c28810ec05025ebfbb (diff)
downloadsrc-4357ae1174f37fa2c10f7de7c05536f23e7439c4.tar.gz
src-4357ae1174f37fa2c10f7de7c05536f23e7439c4.zip
libfetch: don't rely on ca_root_nss for certificate validation
Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059 Approved by: re (gjb) (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59) (cherry picked from commit fb058a9a40a5adc82721ed822fb4fba213446a7b)
-rw-r--r--lib/libfetch/common.c8
1 files changed, 0 insertions, 8 deletions
diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c
index fd2091791620..dfa742577585 100644
--- a/lib/libfetch/common.c
+++ b/lib/libfetch/common.c
@@ -1055,8 +1055,6 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
/*
* Configure peer verification based on environment.
*/
-#define LOCAL_CERT_FILE _PATH_LOCALBASE "/etc/ssl/cert.pem"
-#define BASE_CERT_FILE "/etc/ssl/cert.pem"
static int
fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
{
@@ -1066,12 +1064,6 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
ca_cert_file = getenv("SSL_CA_CERT_FILE");
- if (ca_cert_file == NULL &&
- access(LOCAL_CERT_FILE, R_OK) == 0)
- ca_cert_file = LOCAL_CERT_FILE;
- if (ca_cert_file == NULL &&
- access(BASE_CERT_FILE, R_OK) == 0)
- ca_cert_file = BASE_CERT_FILE;
ca_cert_path = getenv("SSL_CA_CERT_PATH");
if (verbose) {
fetch_info("Peer verification enabled");