security/ca_root_nss: Restore the ETC_SYMLINK.

It turns out that some ports have an undisclosed dependency on the
symlink and cannot be trivially changed to use the system trust
store instead.

Amend the package message to make it clear that software which relies
on this symlink is not following recommended practice.

I will look into getting certctl(8) to provide cert.pem instead, but
it may take a while until we can rely on this being in place on all
supported releases.

This partly reverts commit 483e74f44b82.

PR:		274322
MFH:		2023Q4
Reviewed by:	fluffy
Differential Revision:	https://reviews.freebsd.org/D42120

3 files changed, 27 insertions, 3 deletions

diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile
index 3abe00856c78..91741dc352ef 100644
--- a/security/ca_root_nss/Makefile
+++ b/security/ca_root_nss/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
@@ -17,8 +17,14 @@ USE_PERL5=	build
 NO_ARCH=	yes
 WRKSRC_SUBDIR=	nss
 
+OPTIONS_DEFINE=		ETCSYMLINK
+OPTIONS_DEFAULT=	ETCSYMLINK
+
 OPTIONS_SUB=		yes
 
+ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
+ETCSYMLINK_CONFLICTS_INSTALL=	ca-roots-[0-9]*
+
 CERTDIR?=	share/certs
 PLIST_SUB+=	CERTDIR=${CERTDIR}
 
@@ -43,4 +49,8 @@ do-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
 	${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
 
+do-install-ETCSYMLINK-on:
+	${MKDIR} ${STAGEDIR}/etc/ssl
+	${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
+
 .include <bsd.port.mk>
diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in
index a28b233e6599..b272b6030486 100644
--- a/security/ca_root_nss/files/pkg-message.in
+++ b/security/ca_root_nss/files/pkg-message.in
@@ -5,8 +5,19 @@ FreeBSD does not, and can not warrant that the certification authorities
 whose certificates are included in this package have in any way been
 audited for trustworthiness or RFC 3647 compliance.
 
-Assessment and verification of trust is the complete responsibility of the
-system administrator.
+Assessment and verification of trust is the complete responsibility of
+the system administrator.
+
+This package installs symlinks to support root certificate discovery
+for software that either uses other cryptographic libraries than
+OpenSSL, or use OpenSSL but do not follow recommended practice.
+
+If you prefer to do this manually, replace the following symlinks with
+either an empty file or your site-local certificate bundle.
+
+  * /etc/ssl/cert.pem
+  * %%PREFIX%%/etc/ssl/cert.pem
+  * %%PREFIX%%/openssl/cert.pem
 EOM
 }
 ]
diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist
index ef04e1ffd140..81d723328b37 100644
--- a/security/ca_root_nss/pkg-plist
+++ b/security/ca_root_nss/pkg-plist
@@ -1,4 +1,7 @@
 %%CERTDIR%%/ca-root-nss.crt
+@sample etc/ssl/cert.pem.sample
+@sample openssl/cert.pem.sample
+%%ETCSYMLINK%%/etc/ssl/cert.pem
 @postexec certctl rehash
 @postunexec certctl rehash
 @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt