acinclude.m4: improve autodetection of CA bundle on FreeBSD #894

Closed
wants to merge 1 commit into
from

Projects

None yet

4 participants

@michael-o
Member

The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle to
/usr/local/share/certs/ca-root-nss.crt. Use this bundle in the discovery process.

configure output:

configure: Configured to build curl/libcurl:

  curl version:     7.50.0-DEV
  Host setup:       i386-unknown-freebsd9.3
  Install prefix:   /net/home/osipovmi/freebsd-ca-bundle
  Compiler:         gcc
  SSL support:      enabled (OpenSSL)
  SSH support:      enabled (libSSH2)
  zlib support:     enabled
  GSS-API support:  no      (--with-gssapi)
  TLS-SRP support:  enabled
  resolver:         default (--enable-ares / --enable-threaded-resolver)
  IPv6 support:     no      (--enable-ipv6)
  Unix sockets support: enabled
  IDN support:      enabled
  Build libcurl:    Shared=yes, Static=yes
  Built-in manual:  enabled
  --libcurl option: enabled (--disable-libcurl-option)
  Verbose errors:   enabled (--disable-verbose)
  SSPI support:     no      (--enable-sspi)
  ca cert bundle:   /usr/local/share/certs/ca-root-nss.crt
  ca cert path:     no
  ca fallback:      no
  LDAP support:     enabled (OpenLDAP)
  LDAPS support:    enabled
  RTSP support:     enabled
  RTMP support:     no      (--with-librtmp)
  metalink support: no      (--with-libmetalink)
  PSL support:      no      (libpsl not found)
  HTTP2 support:    disabled (--with-nghttp2)
  Protocols:        DICT FILE FTP FTPS GOPHER HTTP HTTPS IMAP IMAPS LDAP LDAPS POP3 POP3S RTSP SCP SFTP SMB SMBS SMTP SMTPS TELNET TFTP

curl-config output:

$ ~/freebsd-ca-bundle/bin/curl-config --ca
/usr/local/share/certs/ca-root-nss.crt

Sample request:

$ ~/freebsd-ca-bundle/bin/curl -I --verbose https://<server>
*   Trying <IP>...
* Connected to <server> (<IP>) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=...; C=DE; CN=<server>
*  SSL certificate verify ok.
@michael-o michael-o acinclude.m4: improve autodetection of CA bundle on FreeBSD
The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle to
/usr/local/share/certs/ca-root-nss.crt. Use this bundle in the discovery process.
468eee7
@jay
Member
jay commented Jun 24, 2016

While yours may have this (and so does mine) I assume there's a good reason /usr/local/share/certs/ca-root.crt was there...

@michael-o
Member
michael-o commented Jun 24, 2016 edited

There is no usr/local/share/certs/ca-root.crt from ports. This is not a standard file location. Tagging this as FreeBSD is simply not correct.

@jay
Member
jay commented Jun 25, 2016

You've skirted my point, that's not proof it's not correct. Someone put it in there, I assume with good reason, and just because there's nothing in there that adds it now doesn't mean at some past point it wasn't valid. We have to support a wide array of systems, including legacy stuff. We should leave it unless we know it was a typo or something. You can put it above so the search order is like

/usr/local/share/certs/ca-root-nss.crt FreeBSD
/usr/local/share/certs/ca-root.crt older FreeBSD

git blame puts it at 304537c , anything to add @dfandrich ?

@dfandrich
Collaborator
@michael-o
Member
michael-o commented Jun 25, 2016 edited

@jay This may be handcrafted on the system Dan used. No evidence for an old canocical location. The ports system is not tied to a FreeBSD version. All versions used the same ports. So if if you have 8.x, 9.x, 10.x, the CA bundle will be either in /usr/local or /etc/ssl. That is how I have documented it. Moreover, the FreeBSD curl port does not even rely on this loop. It passes the path directly to configure.

@jay
Member
jay commented Jun 26, 2016

It's just not enough to convince me to remove it. I agree the nss bundle should be in the search.

Distantly related: kennethreitz/requests#2899

@michael-o
Member

@jay This actually reflects what I am saying. If you do not know what this is for and don't want to remove it, lets keep it and tag as (unknown). @dfandrich Would you remove it these days because it have introduced it?

@jay
Member
jay commented Jun 27, 2016

We do know what it's for, it's for older FreeBSD until proved otherwise. It shouldn't be unknown it should be changed to FreeBSD (legacy) or older FreeBSD something like that.

@michael-o
Member
michael-o commented Jun 27, 2016 edited

@jay Here is the proof: The port was added 2007-07-06 and the Makefile already contained the filename ca-root-nss.crt. See revision 195105, line 52 to 55, do-build target. If you take a closer look at it with blame, you'll see that the filename hasn't changed since then. Is that proof enough?

@jay
Member
jay commented Jun 27, 2016

That's not proof that ca-root.crt wasn't in use with older FreeBSD, it's just proof that ca-root-nss was added. Also see https://bugs.python.org/msg192601

@bagder
Member
bagder commented Jun 27, 2016 edited

I'll agree with @jay that the evidence seems to suggest that the path was used used at some point in time (up to 2008?). It seems safest to just add detection of the new path.

@michael-o
Member

@jay While I need to admit that you are right here, that there port has been removed the tree in 2008, no official FreeBSD version is available from that time and it is not available in the ports tree which means that with the next ports update, there won't be any update or the port will be removed.

If you still insist on it, I can readd the all as FreeBSD (legacy). Is that OK for you?

@michael-o
Member
michael-o commented Jun 27, 2016 edited

For the record, revision 215953 removed the old port. This was 8 years ago. The last version to use this was FreeBSD 7.0-RELEASE.

@bagder
Member
bagder commented Jun 27, 2016

I changed my mind. 8 years is a very long time. Let's remove that legacy path.

It would still be easy to work-around for anyone who's trapped with a legacy system from back then.

@bagder bagder added a commit that closed this pull request Jun 27, 2016
@michael-o @bagder michael-o + bagder acinclude.m4: improve autodetection of CA bundle on FreeBSD
The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
discovery process.

This change also removes the former FreeBSD path that has been obsolete
for 8 years since this FreeBSD ports commit:
https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953

Closes #894
d61c805
@bagder bagder closed this in d61c805 Jun 27, 2016
@bagder
Member
bagder commented Jun 27, 2016

Thanks for all the comments, work and input on this!

@bagder bagder added the build label Jun 27, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment