| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some purposes it's useful to be able to build the ca_root_nss with a
custom certctl command. It may be desireable for instance to run
certctl rehash at the end of a package upgrade rather than in the
middle, in which case it's sufficient to substitute CERTCTL_CMD=:.
Make the certctl command name a variable so that one can override it at
port build time. No functional change intended.
PR: 290115
Approved by: maintainer (timeout, 1 month)
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The post-install and post-deinstall scripts simply invoke "certctl
rehash", which of course requires root privileges. Modify them to
enable unprivileged installation, useful for building VM images. For
instance, FreeBSD's EC2 image builder wants to install amazon-ssm-agent,
which depends on ca_root_nss.
Modify the scripts to:
1. Use PKG_ROOTDIR as the root instead of assuming the default.
2. When installing, and PKG_METALOG is set, assume we're doing an
unprivileged build and tell certctl to write updates to the
configured METALOG.
Note, the use of PKG_METALOG depends on a new pkg feature:
https://github.com/freebsd/pkg/pull/2476
If an updated ca_root_nss is installed using an old pkg(8), then the
PKG_METALOG variable will not be set, so there are no compatibility
issues.
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
PR: 288243
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that some ports have an undisclosed dependency on the
symlink and cannot be trivially changed to use the system trust
store instead.
Amend the package message to make it clear that software which relies
on this symlink is not following recommended practice.
I will look into getting certctl(8) to provide cert.pem instead, but
it may take a while until we can rely on this being in place on all
supported releases.
This partly reverts commit 483e74f44b82.
PR: 274322
MFH: 2023Q4
Reviewed by: fluffy
Differential Revision: https://reviews.freebsd.org/D42120
|
| |
|
|
|
|
| |
MFH: 2023Q4
Reviewed by: fluffy, sunpoet
Differential Revision: https://reviews.freebsd.org/D42045
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and support CKA_NSS_SERVER_DISTRUST_AFTER to not include
certificates if the extracted bundle of certificates
is generated later than the expiration date.
This script no longer emits trust certificates for
* EMAIL_PROTECTION
* CODE_SIGNING
because the default certificate bundle in FreeBSD is supposed to
be used for server authentication.
Reported by: Christian Heimes <christian@python.org>
via: Gordon Tetlow
Approved by: ports-secteam (riggs@) (maintainer)
|
| | |
|
| |
|
|
| |
Notes:
svn path=/head/; revision=508909
|
| |
|
|
|
|
|
| |
Approved by: portmgr (bapt), bapt (ports committer)
Notes:
svn path=/head/; revision=386873
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since 2.7.9, Python verifies SSL certificates by default. Currently,
even with security/ca_root_nss installed, Python fails certificate
verification.
Upon investigation, Python uses OpenSSL's standard
SSL_CTX_load_verify_locations function to load a list of CA root
certificates.
Support was added to ca_root_nss for "out of the box" certificate
verification for a number of base utilities in r372629 [1], but this
did not include support for software that uses OpenSSL's
SSL_CTX_load_verify_locations function.
[1] https://svnweb.freebsd.org/changeset/ports/372629
OpenSSL defaults (at compile time) to the following paths and filenames
for certificate and CAFile lookup:
Base:
SSL_CERT_DIR=/etc/ssl/certs
SSL_CERT_FILE/etc/ssl/cert.pem
Ports:
SSL_CERT_DIR=/usr/local/openssl/certs
SSL_CERT_FILE=/usr/local/openssl/cert.pem
This change installs a symlink which points to the root certificate
bundle in the location that OpenSSL from ports looks for them.
This allows any and all software utilising SSL_CTX_load_verify_locations
function to verify SSL certificates by default after installation of
this package.
Additionally, display a pkg-message to the user about the lack of
warranty associated with these certificates.
Note: This is *NOT* related to solving for SSL certificate verification
for OpenSSL in Base, which is covered in bug 189811.
While I'm here:
- Add LICENSE
- Use options helpers and OPTIONS_SUB
- Fix typo in !!! message !!!
PR: 196431
Submitted by: koobs
Reviewed by: jbeich
Approved by: maintainer timeout (1 month)
Notes:
svn path=/head/; revision=378720
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Only look at CKA_TRUST_SERVER_AUTH, _EMAIL_PROTECTION, and
_CODE_SIGNING attributes.
- Omit certificates that do not have any explicit trust value in these
three attributes; at least one of the purposes must mark the
certificate a trusted delegator.
- Validate that the trust is one of three known trust values, to become
aware of syntax changes in certdata.txt. If it is an unknown token,
abort with an error stating that the script must be updated.
- Check that we have at least 25 certificates in the output or abort.
This removes these two certificates that have "unknown"
(CKT_NSS_MUST_VERIFY_TRUST) in all three tokens, making them unfit as
trust anchors:
1 C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA,
CN=TC TrustCenter Universal CA III
2 C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com,
CN=UTN-USERFirst-Network Applications
164 trusted certificates remain.
Notes:
svn path=/head/; revision=325572
|
| |
|
|
|
|
|
|
|
| |
creation, to verbosely print omitted and included certificates.
Approved by: flo@ on "as long as you fix it if it breaks" condition
Notes:
svn path=/head/; revision=312617
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- update firefox-esr, thunderbird, linux-firefox, linux-thunderbird to 17.0.3
- update linux-seamonkey to 2.16
- update nspr to 4.9.5
- update nss to 3.14.3
- add DuckDuckGo search plugin to firefox [1]
- mark kompozer deprecated
- clang fixes for www/libxul19 [2]
Security: http://www.vuxml.org/freebsd/e3f0374a-7ad6-11e2-84cd-d43d7e0c7c02.html
Submitted by: DuckDuckGo [1], dim [2]
In collaboration with: Jan Beich <jbeich@tormail.org>
Notes:
svn path=/head/; revision=312608
|
| |
|
|
|
|
|
|
|
|
| |
- Also work with HEAD (1.79) version of Mozilla's certdata.txt,
reported by Daniel Stenberg.
- Add BSD 2-clause license.
- Die when certificates without trust block appear.
Notes:
svn path=/head/; revision=281163
|
| |
|
|
| |
Notes:
svn path=/head/; revision=281156
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to revoke DigiNotar.nl trust.
Security fix: the modssl ca-bundle.pl script did not process
"untrusted" marks on certificates. Drop it and write a new
script in its place that does that.
Synch up with security/nss port to 3.12.11.
Not asking for maintainer approval because of multiple
timeouts in response to related PRs vs. security/[ca_root_]nss.
Notes:
svn path=/head/; revision=281152
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Properly sub VERSION_NSS var [1]
- While here, update to 3.12.6 to sync with security/nss
PR: ports/143584 [1]
Submitted by: Kevin Kobb <kkobb@skylinecorp.com> [1]
Approved by: maintainer timeout (brooks ; 209 days) [1]
Notes:
svn path=/head/; revision=260735
|
|
|
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.
Notes:
svn path=/head/; revision=195104
|
